Population: 23,926,204

Capital: Niamey

President: Mahamadou Issoufou

2019 Freedom House Score: 49/100

Data protection law? Exists, not enforced

Data protection in Niger is governed by Law No. 2017-28, which details enforcement responsibilities for the Haute autorité de protection des données à caractère personnel (HAPD). 

Under Law No. 2017-28, individuals have the right to: 

• obtain all of their personal data in an understandable form, as well as any available information as to the origin; 
• oppose, for legitimate reasons, the processing of personal data concerning them; 
• oppose the processing of their personal data for prospecting purposes; 
• rectify, complete, update, lock, or delete personal data concerning them where it is inaccurate, incomplete, equivocal, out of date, or if collection, use, communication or conservation is prohibited; and 
• not be subject to decisions made on the sole basis of an automated processing that would produce significant or adverse legal repercussions for them. 

Personal data is all information of any nature related to an identified or identifiable natural person, including sounds and images, directly or indirectly referencing an identification number, or one or more elements specific to his physical, physiological, genetic, psychological, cultural, social, or economic identity. 

Sensitive data is all personal data relating to religious or philosophical opinions or activities, political affiliation, sex life, race, health, social measures, prosecutions, and criminal or administrative sanctions. 

The processing of sensitive data is prohibited barring certain exceptions. 

Personal data processing is considered legitimate if there is consent from the data subject. This requirement may be waived where processing is necessary for: 

• compliance with a legal obligation to which the controller is subject; 
• the performance of a public interest mission or the exercise of public authority;
• the commencement or performance of a contract in the data subject’s interests or to which they are a party; or 
• safeguarding the interests or fundamental rights and freedoms of the data subject. 

 Personal data must be: 

• collected, processed, stored, transmitted, and interconnected fairly, lawfully, and legitimately; 
• collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with these purposes; 
• adequate, relevant, and not excessive for the purposes for which it is collected and further processed; 
• kept for no longer than necessary to achieve the purposes for which it was collected and processed; 
• accurate and updated, if necessary; 
• processed confidentially; and 
• protected to prevent it from being distorted, damaged, or accessed by unauthorised third parties. 

Interconnection of personal data shall: 

• not discriminate against or limit the fundamental rights, freedoms, and guarantees of data holders; 
• ensure the use of appropriate safety measures; and 
• take into account the principle of relevance. 

The HAPD is an independent administrative authority responsible for ensuring that personal data is treated in accordance with the provisions of Law No. 2017-28. Among other things, it is charged with: 

• informing citizens and data controllers of their respective rights and responsibilities surrounding the processing of personal data; 
• elaborating on the rules related to personal data processing; 
• advising those planning to implement data processing operations; 
• receiving and investigating complaints about the misuse of personal data
• participating in research activities to advance the protection of privacy and personal data;
• imposing administrative sanctions on data controllers in the case of non–compliance;
• informing the relevant judicial authority of offences committed under the law;
• keeping a public register of personal data processing operations;
• proposing amendments to simplify and improve data protection legislation, where necessary; and
• participating in international negotiations surrounding personal data protection, and putting in place measures to cooperate with international data protection authorities.

The processing of personal data is subject to prior notification to the HAPD. If a data controller appoints a data protection officer, notification is unnecessary unless personal data is being transferred across national borders. 

Transfer of personal data to another country is allowed only when that country provides a superior or equivalent level of protection for privacy, freedoms and fundamental rights of individuals regarding the processing of personal data. 

No breach notification protocol is stipulated under Nigerien law.