Nigeria in step with EU on Data Laws

Lagos-based lawyer Rilwan Shittu looks at how Nigeria is taking major steps in data protection and privacy

The coming into force of the European Union’s General Data Protection Regulation or “GDPR” and the recent data scandals involving major corporations such as Facebook, have underscored the need for Nigeria to put in place a comprehensive framework for data protection and privacy.

In view of this, in January this year, the National Information Technology Development Agency (NITDA) published the Nigeria Data Protection Regulation (NDPR), which is the first comprehensive body of regulations centered on data protection in Nigeria.

The NITDA, in publishing the regulations, was acting pursuant to its powers under Section 6(c) of the NITDA Act of 2007 which mandates the agency to develop regulations for electronic governance and to monitor the use of electronic data interchange and other forms of electronic communication transactions.

Prior to the enactment of the NDPR, the only legislation that made provisions on privacy and data protection were the 1999 Nigerian Constitution (as amended) which guarantees the right to privacy for Nigerian citizens and a few provisions under the Freedom of Information Act and the Cybercrimes (Prohibition, Prevention, etc.) Act.

The NDPR applies to all Nigerians, whether resident in Nigeria or not, and is focused on seeking and obtaining consent, preventing unauthorized use of personal data of individuals and the protection of data by persons entrusted with the protection of personal data of individuals. In essence, it seeks to safeguard the rights of Nigerians to data privacy and to ensure exchange of personal information in a safe and secure way, thereby preventing the manipulation and misuse of personal data.

A data subject, under the regulations, possesses the right to: object to the processing of their data without consent; restrict processing of their data; request deletion of their personal data; and, receive data in a structured form.

The NITDA is also empowered to enforce compliance and penalize defaulters for breach and failure to comply with the provisions of the regulations. Penalties include the payment of a 2% fine of yearly gross revenue of the preceding year or N10 million (about GBP22,000), whichever is greater, in a case where the data controller has been dealing with more than 10,000 data subjects. The regulation also creates an administrative panel as an alternative means for seeking redress in cases of breach of the provisions of the regulations.

Earlier this month, the NITDA announced that the full implementation of the regulations had commenced in Nigeria.

Related to this, there is also a Data Protection Bill before the Nigerian House of Assembly. The House of Representatives of Nigeria, presided over by Speaker Yakubu Dogara, on May 8, 2019 voted and passed the Bill. The Bill is currently before the Senate and, according to stakeholders, is expected to be passed before the end of the year.

The efforts of NITDA and the Nigerian government are a step in the right direction. Data protection and privacy are critical in ensuring that Nigerian businesses remain globally competitive. Data protection is a key component for the ease of doing business and is a major requirement in ensuring confidence in business transactions, and the smooth operation of commerce and industry.


To read more Nigeria focused news click here