In recent years, Nigeria has been criticised for failing to pass a data protection law while many other African countries have successfully done so. Instead, the country previously relied on the Nigeria Data Protection Regulation, 2019 (NDPR), released by the National Information Technology Development Agency (NITDA), which has now been replaced by the Data Protection Act. Several sections of the Act focus on the safeguards required during the processing of personal information. Section 24 of the Act emphasises the principles governing the processing of personal data and mandates data controllers and processors to collect data lawfully and process it securely. Section 25 provides the lawful basis for personal data processing, requiring the consent of the data subject for specific purposes. The legislation further outlines the rights of data subjects in sections 34 – 37, ensuring that individuals have control over their personal information. The Act prohibits the cross-border transfer of personal data, except when legally permitted, and enhances accountability by mandating all data controllers and processors who are considered of “significant importance” to register with the regulatory authority within six months of the law’s commencement.
One of the key provisions of the newly enacted law is the establishment of the Nigeria Data Protection Commission (NDPC), replacing the former Nigeria Data Protection Bureau (NDPB). The Commission will possess extensive powers as outlined in section 6 of the Act, including the power to issue regulations, rules, directives, and guidance. The Act also introduces a Governing Council, chaired by a retired judge from a superior court of record.
- The Data Protection Act, 2023 is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].