Today we break down the Data Protection laws and policies in Nigeria.
The protection of a person’s personal data has become a subject of legislation all around the world, and countries have engaged in disputes with both local and global firms over it.
This article’s objective is to analyze Nigeria’s data protection system. It identifies its advantages, disadvantages, and limitations, before comparing it to the global norm for human rights in terms of privacy.
Related:
Best Internet Service Providers in Nigeria
An overview of Value-Added Tax (VAT) in Nigeria
How to register a Non-Governmental Organization (NGO) in Nigeria
Contents
Data protection and Nigeria
The Nigeria Data Protection Regulation was released by the National Information Technology Development Agency in 2019. It acts as the fundamental legislative foundation for data protection in Nigeria. On January 25, 2019, the Nigerian Data Protection Regulation (NDPR) was released in accordance with Section 35 of the National Information Technology Development Agency Act.
The fundamental purpose of the NDPR is to ensure the security and privacy of personal data. According to Regulation 1.2 of the NDPR 2019, the rules of the NDPR apply to any transactions involving the processing of natural person data in Nigeria. Therefore, it is sufficient to conclude that the NDPR applies to the gathering of personal information about foreign nationals in Nigeria. Additionally, it applies to transactions that call for the processing of personal information relating to Nigerian citizens abroad.
Regulations 2.2 (a) and 2.3 of the NDPR reiterate the generally held worldwide opinion that consent is required when processing personal data. According to the NDPR, permission should be gained willingly and not through deception, force, or undue influence. The data controller is responsible for ensuring that permission is given willingly. The data controller advises the data subject of his right to revoke permission at any moment prior to receiving the data. Personal information submitted to data controllers shall be treated with strict confidentiality. It will be held only for the time necessary and gathered with proper regard for atrocities. (These encompass abuses of children’s rights, criminal activity, anti-social behavior, and human dignity).
Strong limitations on the transfer of personal data to third parties and nations are made available. This strengthens and guards the data of natural persons against unauthorized access. An official contract between the data controller and the third party is required before personal data can be transferred to them. (This is according to Regulation 2.7 of the NDPR 2019). Regarding foreign restrictions, Regulation 2.11 of the NDPR 2019 specifies that the Attorney General of the Federation shall have the authority to regulate and monitor the transfer of data to foreign countries.
Data protection in Nigeria and the international human rights standard on privacy
A definite and universal framework for the protection of the right to privacy is provided by international human rights law. The provisions of the International Covenant on Civil and Political Rights (ICCPR) and the Universal Declaration of Human Rights (UDHR) make this clear. Both Article 12 of the UDHR and Article 17 of the ICCPR guarantee that no one’s privacy will be invaded without their consent. The two treaties also concur that a person’s right to privacy should be guaranteed by their nation’s legal system.
In addition to the two treaties, the Human Rights Committee, in its general comment No. 16 in the Official Records of the UN General Assembly, 43rd Session Supplement No. 40 (A/43/40), annexe VI, para. 8, agreed that the personal data of individuals should be protected when provided voluntarily to big data collection enterprises for access to goods, services, and information.
A definition provided by the Human Rights Committee for the term “arbitrary” was that it meant “no interference could take place, except in circumstances permitted by the law of the country.” As a result, it is sufficient to state that state intrusions into people’s privacy are governed by national legal regulations. A nation’s laws must permit interference with personal data to occur there.
The NDPR commendably protects individual personal data and establishes precise rules for the gathering, storing, and transfer of information about natural persons. Additionally, it recognizes global best practices with regard to data controllers’ responsibility, liability, and accountability.
An action deserving of praise is the establishment of an Administrative Redress Panel pursuant to Regulation 3.2 of the NDPR 2019. In annexe V, paragraph 48, of the Official Records of the Human Rights Council, Twenty-Seventh Session Supplement No. A (HRC/27/37), the Human Rights Council made recommendations regarding the implementation of the global standard for human rights relating to privacy in 2014. The creation of enforcement mechanisms to hold data controllers accountable for violations of data protection breaches was among the recommendations made; Nigeria complies with this recommendation thanks to the Administrative Redress Panel’s existence.
However, one of the shortcomings of the NDPR stated in Regulation 2.2 (b, c, d, and e) of the NDPR 2019 is the release of personal data without consent in the following circumstances:
- the Data Subject is a party to a contract;
- the Data Controller must comply with legal obligations;
- the Data Subject or another natural person’s interests are at risk; and
- the release of personal data is necessary to carry out a task for the public interest.
However, due to the Human Rights Committee’s agreement on the definition of “arbitrary,” it still maintains a balance with the international human rights standard on privacy.
Conclusion
This article compares Nigeria’s data protection laws to the global standard for human rights and privacy protection.