On June 12, 2023, President Bola Tinubu signed into law, the Nigeria Data Protection Bill, 2022.
The bill was conveyed to the National Assembly by former President Muhammadu Buhari and was passed by the two chambers in April 2023.
Objectives of the bill, now an Act include, to provide for the regulation of the processing of personal data; to promote data processing practices that protect the security of personal data and the privacy of data subjects; to ensure that personal data is processed in a fair, lawful and accountable manner; to protect data subjects’ rights, and provide remedies and means of recourse in case of breach of those rights; ensure that data controllers and data processors fulfil their obligations to data subjects; minimize the harmful effect of personal data misuse or abuse on data subjects and other victims; and also to contribute to the legal foundations of the digital economy of Nigeria and its participation in the regional and global economies through the beneficial, trusted use of personal data.
The key provision of the new law is the establishment of the Nigeria Data Protection Commission, which replaces the Nigeria Data Protection Bureau (NDPB) established by immediate past President Muhammadu Buhari in February 2022.
The commission is empowered, among others, to regulate the deployment of technological and organisational measures to enhance personal data protection; to foster the development of personal data protection technologies, in accordance with recognised international best practices and applicable international law; to conduct investigations into any violation of a requirement under the Act; and impose penalties in respect of any violation of the provisions of the Act or subsidiary legislation made thereof.
The new body will be headed by a National Commissioner appointed by the President for a term of four years which is renewable once.
The Act outlines the principles of the processing of personal data, while also establishing the rights of a data subject—a person whose information is being collected. Section 24 states that the data controller or data processor must ensure that data is collected legitimately and “processed in a manner that ensures appropriate security”.
It categorically defines data subject rights such as the right to object, withdraw consent, data portability, and the right not to be subject to a decision based primarily on the automated processing of personal data.
The Act aims to safeguard the fundamental rights and freedoms and the interests of data subjects as guaranteed under the 1999 Constitution of the Federal Republic of Nigeria.
It would also ensure that data controllers and data processors fulfil their obligations to data subjects, and minimize the harmful effect of personal data misuse or abuse on data subjects and other victims.
There had been reported cases of abuse and theft of data of Nigerians, especially by loan sharks.