Nigeria's President, Bola Ahmed Tinubu has signed the Data Protection Bill 2023 into law. Proposed earlier by ex-President Muhammadu Buhari, the bill provides a legal shield to protect your personal data online and offline in Nigeria.
The bill also sets up the Nigeria Data Protection Commission. A National Commissioner will lead it, controlling how personal data is processed.
Dr Vincent Olatunji, National Commissioner of the Nigeria Data Protection Bureau (NDPB), announced this at a workshop in Abuja, where they were validating the NDPD's strategic plan.
In 2019, the Nigerian Information Technology Development Agency (NITDA), launched the Nigerian Data Protection Regulation. Though the regulation had its merits, it left much to be desired. Expert comments clamoured for the introduction of the data protection bill.
Why is the data protection bill necessary, you may ask?
Imagine a world without walls or fences. A world where every whisper, every secret, every moment is up for grabs. Sounds terrifying, right? That’s what the Internet - Your Google, Facebook, Twitter, and Instagram- would look like in the absence of data protection laws.
Our personal information - from our date of birth to our medical records, from our purchasing habits to our deepest fears and desires - is at the mercy of companies, marketers, and even malicious actors.
There have been various issues of hacks and data breaches in and outside Nigeria, that have affected its citizens.
It's the invisible gold of the digital age, traded and used without our consent or knowledge, at the risk of our security, our identity, and our very essence. Okay, let me stop scaring you. Our Senior Editor, Oluwanifemi, spoke to a hacker about this.
Nigeria's data protection bill (now a law) gives us an opportunity to regain control of our data and provide more privacy as we surf the Internet.
Key highlights of the bill
Protection of Personal Data: The crux of the Bill is the protection of individuals' personal data. It legally mandates organisations and individuals to respect and protect an individual's privacy by securing their personal data.
Establishment of Nigeria Data Protection Commission: The Bill mandates the creation of a Data Protection Commission. This entity is responsible for the enforcement of the rules and regulations set out in the Bill.
Appointment of a National Commissioner: A National Commissioner is to head the Commission, overseeing the protection of personal data and ensuring organizations adhere to the new legal framework.
The difference between both is determined by the amount of data being processed, but the bill doesn't state it. It leaves that decision to the commission.
Provisions that caught our eye
Here are some interesting provisions from the Nigerian data protection bill 2023
Who can handle Nigerians' data?
Data controller or processor: A company or individual that determines the purpose of collecting data and how that data is processed. There's a data controller of major importance and not of major importance.
They can either be entities that reside in Nigeria, process data within Nigeria or they're not domiciled in Nigeria but processes the data of Nigerians.
Companies must make sure you give consent before using and processing your data. Silence or inaction will not be taken as consent. Even after obtaining consent, you can still withdraw consent from the company at any time you choose.
Consent must be affirmative, and not through pre-selected means. It must be in writing, orally or through electronic means.
Children do not have the right to give consent, so companies must take steps to verify the age of whoever they want to collect data from.
Your rights as a data subject
The data protection bill 2023 gives you the right to
- Demand what type of data is being collected, where it's being stored, and who else will be using that data apart from the company that collected it.
- Demand that the company erases or rectifies the data in use at any time.
- Object to the use of data for marketing purposes - Remember all those ads you see on Facebook after talking about it with your friends? Yes, that.
Companies can no longer transfer data outside Nigeria unless there's valid legal backing.
That is, the company that is receiving your data outside the country, has a valid data protection law and procedures in place to ensure the safety of your data. The company will also be subject to sanctions under Nigeria's data protection law if there's any violation.
The bill institutes several provisions for data breaches where the company has to report to its partners and the data protection commission.
When a breach that's likely to harm your rights and freedom happens, the bill mandates companies to notify you immediately. Either directly, or through public media.
Companies or individuals found in any violation could be sanctioned in various ways. Some include:
- Giving a part of the profits realised from the violation to a data subject
- Paying a fine - of ₦10 million for data controllers of major importance and ₦2 million for data controllers not of major importance.
This is just a sneak peek into Nigeria's data protection bill 2023, and there should be exciting conversations ahead.