FAST FACTS

Population: 24,206,636

Capital: Niamey

President: Mohamed Bazoum

2021 Freedom House Score: 48/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, privacy in enshrined in Niger’s Constitution under Articles 27 and 29.

DPA legislation: Data protection in Niger is governed by Law No. 2017-28, which was subsequently amended by Law No. 2019-71 in December 2019. Together, these Acts detail the enforcement responsibilities of the Haute autorité de protection des données à caractère personnel (HAPDP) and provide for the legitimate processing of personal information.

The HAPDP announced that it had officially launched on 5 August 2020.

Under Law No. 2017-28, individuals have the right to:

• obtain all of their personal data in an understandable form, as well as any available information as to the origin;
• oppose, for legitimate reasons, the processing of personal data concerning them;
• oppose the processing of their personal data for prospecting purposes;
• rectify, complete, update, lock, or delete personal data concerning them where it is inaccurate, incomplete, equivocal, out of date, or if collection, use, communication or conservation is prohibited; and
• not be subject to decisions made on the sole basis of an automated processing that would produce significant or adverse legal repercussions for them.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: Yes

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: No

Personal data is all information of any nature related to an identified or identifiable natural person, including sounds and images, directly or indirectly referencing an identification number, or one or more elements specific to his physical, physiological, genetic, psychological, cultural, social, or economic identity.

Sensitive data is all personal data relating to religious or philosophical opinions or activities, political affiliation, sex life, race, health, social measures, prosecutions, and criminal or administrative sanctions.

The processing of sensitive data is prohibited barring certain exceptions.

Personal data processing is considered legitimate if there is consent from the data subject. This requirement may be waived where processing is necessary for:

• compliance with a legal obligation to which the controller is subject;
• the performance of a public interest mission or the exercise of public authority;
• the commencement or performance of a contract in the data subject’s interests or to which they are a party; or
• safeguarding the interests or fundamental rights and freedoms of the data subject.

Personal data must be:

• collected, processed, stored, transmitted, and interconnected fairly, lawfully, and legitimately;
• collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with these purposes;
• adequate, relevant, and not excessive for the purposes for which it is collected and further processed;
• kept for no longer than necessary to achieve the purposes for which it was collected and processed;
• accurate and updated, if necessary;
• processed confidentially; and
• protected to prevent it from being distorted, damaged, or accessed by unauthorised third parties.

Interconnection of personal data shall:

• not discriminate against or limit the fundamental rights, freedoms, and guarantees of data holders;
• ensure the use of appropriate safety measures; and
• take into account the principle of relevance.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: No

Notification to data subject in event of data breach: No

Timeframe for notification is specified: NA

Exceptions exist to breach notifications: NA

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Unclear

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Unclear

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Yes

Number of members in DPA: 9

Maximum term length for members of the DPA (years): 10

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

Transfer of personal data to another country is allowed only when that country provides a superior or equivalent level of protection for privacy, freedoms and fundamental rights of individuals regarding the processing of personal data.

Provides a right not to be subject to automated decision-making: Yes