Navigating Nigeria’s Data Protection Act

Nigeria’s new Data Protection Act will enhance data security, increase privacy protection and establish robust mechanisms for international data transfers while ensuring adequate data protection standards which should ultimately boost economic activity in Nigeria.

Implementation of the Act seeks to introduce data protection principles of fairness, transparency, and accountability, and includes the establishment of the Nigerian Data Protection Commission. The Commission will oversee the safe practices of data protection in Nigeria which includes fostering the development of data protection technologies, promoting public awareness of data protection, accrediting data protection compliance services, registering data controllers and data processors of major importance, receiving complaints of violations and attaining the objectives of the Act.

Among other things, the Act seeks to protect the rights of data subjects. Etisang Solomon, a lawyer and data protection expert, explained that data subjects are guaranteed their rights under Part VI of the Act. This includes the right to be informed before any of their data is processed, and the right to access, correct, erase, restrict and object to the processing of their data. "Data subjects can also request for their data to be transferred in a commonly used and machine-readable format to another organisation as well as not to be subject to a decision based solely on automated processing, including profiling," he said.

Speaking on some of the striking introductions of the Act, Olumide Babalola, a data protection lawyer, noted that "the right of withdrawal of consent is an ingenious addition to data subjects’ rights even though it appears a reproduction of the right to object or restrict further procession. After all, where consent is given to processing activity, there ought to be a corresponding right to withdraw (the) same."

The data subject has the right to lodge a complaint with the Commission, though the Act allows for the suspension of these rights if it falls under the exceptions of its applicability under Section 3 of the Act.

Section 29 of the Act is also instructive on the contents of Data Processing Agreements. Olumide noted that this will provide clarity on what controllers should instruct processors to do. By including specific instructions beyond the contract requirement, this provision ensures that controllers take active responsibility for the data they collect and entrust to processors.

Mustapha Atoyebi, a data protection enthusiast lauded the Act overall, saying he believes it creates a balance between the protection of data subjects while making sure that data flow is not so restricted that it frustrates the economy. Overly restrictive regulations could have hindered businesses’ ability to access and utilise data from different sources. If this happened it could disrupt supply chains, limit market insights, and impede innovations.

However, Atoyebi still feels that the data protection ecosystem can be further improved and that some parts of the Act require additional reformation. One such area is that of licensing data protection compliance which will require lawyers already authorised under the Legal Practitioners Act to deal with another wave of licensing requirements to represent the interests of their clients.

To join Africa Legal's mailing list please click here