Nigerian Data Protection Bill to Move Forward

Nigeria's Federal Executive Council (FEC) has approved the Nigeria Data Protection Bill (NDPB) on February 25th. The bill will now be sent for consideration to the National Assembly by the Minister of Justice and Attorney General of the Federation. The NDPB aims to protect the fundamental rights and freedoms of data subjects, promote fair and lawful processing of personal data, safeguard security and privacy of data subjects, and establish an independent regulatory commission. If approved, it will replace the NDPR (Nigeria Data Protection Regulation) issued in January of 2019 and the Data Protection Bill 2020,  as the main legal framework for data privacy in Nigeria.

What is the NDPB?

The NDPB conforms to other modern privacy regulations by outlining the definitions of concepts such as data controller, data processor, biometric data, personal information, and sensitive personal information.

For example, it defines personal data as 

“any information relating to an individual who can be identified or is identifiable, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual,”

and ‘biometric data’ as

“personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of an individual, which allow or confirm the unique identification of that individual, including without limitation by physical measurements, facial images, blood typing, fingerprinting, retinal scanning, voice recognition and deoxyribonucleic acid (DNA) analysis.”

This law differs from others in that it classifies data controllers and processors into two categories: a general one and a second one referred to as "data controllers or data processors of major importance." The latter category includes those processing personal data of a certain number of data subjects within Nigeria or those processing data of particular value or significance to the country's economy, society, or security. This applies to data controllers or processors that are domiciled, ordinarily resident, or ordinarily operating in Nigeria.

It applies to data processors who are domiciled in or operating on the territory of Nigeria, whose data processing operations take place in the country, or who process the personal data of Nigerian data subjects, and it excludes personal data processing for personal purposes, same as with other data privacy regulations around the world. 

As far as data subject access rights are concerned, it offers eight such rights, namely:

• Right to be informed
• Right to access data 
• Right to correct inaccurate data 
• Right to delete personal data 
• Right to restrict processing 
• Right to object to processing 
• Right to object to automated processing
• Right to the portability of data 

However, it does not impose a deadline for answering the requests choosing instead a more vague approach that says that covered entities have to reply “without constraint or unreasonable delay.”

Last but not least, under the NDPB, penalties would be divided between two categories of data controllers and processors: those of major importance and all others. For data controllers or processors of major importance, the maximum penalty per violation mandated is ₦10,000,000 (approx. $21,700) or "two percent of its annual gross revenue derived from Nigeria in the preceding financial year," whichever is higher. For other data controllers or processors, the maximum penalty per violation is ₦2,000,000 (approx. $4,500) or "two percent of its annual gross revenue derived from Nigeria in the preceding financial year," whichever is higher. In case of criminal offenses, such as failure to comply with NDPC enforcement orders, penalties may include the above-mentioned fines, imprisonment for up to one year, or both fine and imprisonment.