DATA PROTECTION FACTSHEET
President: Muhammadu Buhari
2021 Freedom House Score: 45/100
Data protection law? The Data Protection Act, 2023, was signed into law by President Tinubu on 14 June 2023.
Privacy enshrined in Constitution: Yes, Section 37 of the 1999 Constitution of the Federal Republic of Nigeria, provides for the right to privacy.
DPA legislation: The Data Protection Act, 2023 was signed into law by President Tinubu on 14 June 2023. In addition, in 2019 the National Information Technology Development Agency (NITDA) released the Nigeria Data Protection Regulation (NDPR). However, this has now been superseded by the Data Protection Act, 2023.
The analysis that follows is based on the 2023 Act unless otherwise specified.
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: Signed
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Yes
Law enforcement exclusion: Yes
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: Yes
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: No
Other exclusion(s): Yes
Broad or vague exclusions: Yes
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: No
Personal data means any information relating to an individual who can be identified or is identifiable, directly or indirectly, by reference to an identifies such as a name, an identification number, location data, an online identified, or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual.
Sensitive personal data means data relating to:
- genetic and biometric data, for the purpose of uniquely identifying a natural person;
- race or ethnic origin;
- religious or similar beliefs, such as those reflecting conscience or philosophy;
- health status;
- sex life;
- political opinions or affiliations;
- trade union memberships; or
- any other personal data prescribed by the Commission as sensitive personal data
Personal data must be collected and processed for a specified, explicit, and legitimate purpose and not further processed in a way incompatible with those purposes and:
- adequate, relevant and limited to the minimum necessary for the purposes;
- retained for no longer than is necessary;
- accurate, complete, not misleading and, where necessary, kept up to date; and
- processed in a manner that ensures appropriate security
For personal data processing to be lawful, at least one of the following must apply:
- The data subject has consented to the processing of personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party.
- Processing is necessary for the controller or the data subject to comply with a legal obligation.
- Processing is necessary to protect the vital interests of the data subject or another individual.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor.
- For the purposes of the legitimate interests pursued by the data controller or data processor.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: Partial
Timeframe for notification is specified: Yes
Exceptions exist to breach notifications: Yes
Requires a data processing register: No
Register is publicly available: NA
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Unclear
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): Yes
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: Yes
Number of members in DPA: 7
Maximum term length for members of the DPA (years): 8 (for non-executive members; 10 for the National Commissioner)
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: No
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
For an extra-territorial transfer of personal data to occur, the recipient of the data must be subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection, or alternatively, if the data subject has consented, the transfer is necessary for the performance of a contract to which the data subject is party, the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject, is for the sole benefit of the data subject and it is not reasonable to give consent, is necessary for the public interest or the establishment, exercise or defence of legal claims, or is necessary to protect the vital interests of the data subject or other persons incapable of giving consent.
Provides a right not to be subject to automated decision-making: Yes