G.Elias
What law(s) specifically govern personal data / information?
- The Constitution of the Federal Republic of Nigeria, 1999 (as amended).
- National Information Technology Development Agency Act, 2007.
- The Nigerian Data Protection Regulation, 2019 (the “NDPR”).
- The Nigerian Data Protection Regulation 2019: Im-plementation Framework, 2020
- (the “Framework”).
What are the key data protection principles in this jurisdiction?:
- The collection and processing of personal data must be done in accordance with a specific, legitimate and lawful purpose consented to by the data subject
- The adequacy and accuracy of the personal data must be without prejudice to the dignity of a human person.
- Personal data must be stored only for the period for which it is reasonably needed.
- Personal data must be secured against foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, dam-age by rain, fire or exposure to other nature elements.
(NDPR, Article 2.1)
What is the supervisory authority / regulator in charge of data protection?
National Information Technology Development Agency (“NITDA”). However, the President of the Federal Republic of Nigeria, President Muhammadu Buhari in February 2022 established the Nigeria Data Protection Bureau (the "Bureau") with the primary mandate of focusing on data protection and privacy in Nigeria as well as the administra-tion and implementation of the NDPR. There is, as yet no enabling law establishing the Bureau. However, we are aware that some legislative framework is being setup.
Is there a requirement to register with a supervisory authority / regulator?
Data Protection Compliance Organizations (“DPCOs”) are to be registered and licensed by NITDA to, on behalf of NITDA monitor, audit, conduct training and data protection compliance consulting to data controllers for the purpose of ensuring compliance with the NDPR and Framework.
(NDPR, Article 4.1(4))
Is there a requirement to notify the supervisory authority / regulator?
Data controllers have a duty of self-reporting breaches of personal data to NITDA within 72 hours of knowledge of such breach.
(Framework, Paragraph 9.2)
Is it possible to register with / notify the supervisory authority / regulator online?
It is possible for DPCOs to carry out their licensing registra-tions online. However, the NITDA team might also carry out some on-site assessment. The regulator can be notified of any matter relating to data protection online. This is without prejudice to follow-up requests for physical meet-ings or documentation.
What are the key data subject rights under the data protection laws of this jurisdiction?
Article 3.1 of the NDPR outlines the rights of data subjects. These include:
- right to information relating to data processing from data controllers in a concise, transparent, intelligi-ble, and easily accessible form;
- information provided to a data subject and any communication and actions taken shall be provided without cost except in exceptional circumstances;
- prior to the collection of personal data from a data subject, data controllers are amongst others, man-dated to inform data subjects about the purpose and legal basis for the processing for which the personal data are intended;
- right to be informed of the appropriate safeguards in a foreign country in the event of transfer of per-sonal data to a foreign country or international or-ganization;
- right to request for the deletion of personal data without delay in applicable circumstances; and
- the exercise of the rights of a data subject shall be in conformity with constitutionally guaranteed prin-ciples of law for the general protection and en-forcement of fundamental rights.
Is there a requirement to appoint a data protection officer (or equivalent)?
The NDPR and Framework provide for the appointment of a Data Protection Officer by every data controller for the purpose of ensuring compliance with the NDPR and Framework.
(NDPR, Article 4.1(2); Framework, Paragraphs 3.4-3.7)
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
By Paragraph 4.2 of the Framework, a data protection impact assessment (DPIA) is to be conducted by data controllers and administrators where applicable.
However, NITDA may request the submission of DPIAs from any data controller or administrator where such data processing activities are considered to be of high impact on data subjects.
A data protection impact assessment may be required for the following types of processing:
- evaluation or scoring (profiling);
- automated decision-making with legal or similar significant effect;
- systematic monitoring;
- when sensitive or highly personal data is involved;
- when personal data processing relates to vulnerable or differently abled data subjects; and
- when considering the deployment of innovative processes or application of new technological or organizational solutions.
Does this jurisdiction have any specific data breach notification requirements?
There are specific data breach notification requirements under the NDPR and the Framework.
Data controllers are mandated to report personal data breaches to NITDA within 72 hours of knowledge of such breach and immediately notify the data subject of the personal data breach where such is likely to negatively impact the freedom and rights of the data subject.
A notification of data breach to NITDA must include the following:
- a description of the circumstances of the loss or unauthorized access or disclosure;
- the date or time during which the breach occurred;
- a description of the personal information involved in the data breach;
- an assessment of the risk or harm to individuals as a result of the breach;
- an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the breach;
- a description of the steps the data controller has taken to notify the data subjects of the breach and to reduce the risk to individuals;
- the contact details of a representative of the data controller for the purpose of responding to NITDA’s investigation on the breach.
(Paragraph 9, Framework)
What restrictions apply to the international transfer of personal data / information?
Yes, the Nigerian jurisdiction restricts the transfer of personal data out of the jurisdiction.
Any transfer of data out of the jurisdiction must be done subject to other provisions of the NDPR and with the approval of the Honourable Attorney General of the Federation (HAGF) through the NITDA.
(NDPR, Regulation 2.11)
To ensure a lawful transfer of personal data outside the jurisdiction, NITDA or the HAGF shall confirm the adequacy of data protection safeguards in the recipient foreign jurisdiction, by taking into consideration the following:
- the adequate level of data protection in the recipient foreign jurisdiction;
- the legal system of the recipient foreign jurisdiction;
- the compliance of the recipient foreign jurisdiction with data protection legislations and rules, security measures, as well as effective and enforceable data subject rights and administrative/judicial redress for the data subjects whose personal data is being transferred;
- the existence and effective functioning of one or more independent supervisory authorities in the recipient foreign jurisdiction; and
- the international commitments which the foreign recipient has entered into and is bound by in relation to the protection of personal data.
However, in the absence of any decision/confirmation by the NITDA or HAGF as outlined above, a transfer of personal data shall only take place if;
- the consent of the data subject has been expressly obtained;
- the transfer is necessary for the implementation of pre-contractual measures or performance of a contract;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject;
- the transfer is necessary for important reasons of public interest; and
- the transfer is necessary for the establishment, exercise or defence of legal claims and protection of the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
(NDPR, Regulation 2.12)
Further, a transfer of personal data is permitted where such transfer is to an affiliate company or subsidiary provided that such transfer is done pursuant to standard contractual clause or binding corporate rules or included in the annual data protection audit report both submitted to NITDA. (Framework, Paragraph 7.3)
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the data protection laws of Nigeria have an extra-territorial effect on organizations outside Nigeria.
The NDPR applies to all transactions and business activi-ties involving the processing of personal data of all natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.
(NDPR, Regulation 1.2)
What rules specifically deal with marketing?
Data processing for the purpose of marketing is contemplated and permissible under the data protection regime. Such processing is subject to the usual rights of the data subject to object to processing intended for marketing purposes and requirement for specific consent therefor (except for marketing directed at existing customers).
(The Framework, Paragraph 5.3.1)
(NDPR, Regulation 2.8)
Do different rules apply to business-to-business and business-to-consumer marketing?
No. The same rules apply to both contexts of marketing, provided that the business activity involves the processing of the personal data of natural persons and/or data subjects within the meaning of the NDPR.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Electronic marketing is captured under the same general rules relating to marketing as discussed above.
(The Framework, Paragraph 5.3.1)
What rules specifically deal with cookies?
Yes. Privacy policies shall, amongst other relevant infor-mation, contain details of technical methods used to collect and store personal information and cookies e.t.c.
(NDPR, Paragraph 2.5 (d))
The NDPR also provides for consent for the use of cookies on a website or other digital platforms. The consent for the use of cookies must be freely given, informed and specific.
- Website owners are also required to:
- make cookie information clear and easy to under-stand;
- notify users of the presence and purpose of the cookies;
- identify the entity responsible for the use of the cookies; and
- provide information on how to withdraw consent from the use of the cookie.
(The Framework, Paragraph 5.6)
Additionally, the NDPR does not differentiate between the type of cookies used.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The NDPR provides for the punishment of fines for data breaches.
Consequently, any person to which the NDPR applies to and who is found to breach the data privacy rights of any data subject shall be liable to, in addition to any criminal liability in Nigeria;
- in the case of a data controller dealing with more than 10,000 data subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million naira whichever is greater; and
- in the case of a data controller dealing with less than 10,000 data subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million naira whichever is greater.
(NDPR, Regulation 2.10)
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
There are no unique considerations other than those already broadly discussed above, especially as its relates to lawful transfer of personal data out of the jurisdiction.
What upcoming data protection developments should multinational organisations be aware of?
Currently, there is a draft Data Protection Bill 2020 before the National Assembly which is aimed at the regulation of data processing activities carried out by data processors and controllers within Nigeria. Accordingly, it is important for a multinational organisation involved in data processing or whose activities revolve around the control of data to be aware and monitor the bill which contains the obligations that data processors and controllers are to fulfil if eventually passed into law.
On the 25th of October 2021, the Lagos State Data Protection Bill (“LDP Bill”) passed the second reading at the Lagos State House of Assembly. The aim of the LDP Bill is to set out standards, rules, and salient overarching principles for the processing of personal data and compliance obligations for data controllers and data processors within the state.
To avoid being subject to penalties and having to suffer a disruption of business activities, it is advisable for multinational organisations to monitor the aforementioned bills and other upcoming developments in the Nigerian data protection space.