On 12 June 2023, President Bola Ahmed Tinubu, GCFR, signed the Nigeria Data Protection Bill, 2023 into law as Nigeria Data Protection Act, 2023 (“the Act” or “NDPA”). The Act establishes the legal framework for the regulation of personal data in Nigeria and replaces the Nigerian Data Protection Regulations (NDPR) 2019 and the NDPR Implementation Framework 2019 issued under the National Information Technology Development Agency (NITDA) Act.

The key provision of the Act is the establishment of the Nigeria Data Protection Commission (NDPC or “the Commission”) and a Governing Council (“the Council”) of the Commission. The Commission will superintend the implementation and enforcement of rules and regulations set out in the Act, regulate the processing of personal information and other related matters, while the Council is charged with formulation and provision of overall policy direction of the affairs of the NDPC.

This Newsletter analyses the implications of the NDPA for businesses operating within and outside Nigeria, including best practices for compliance.

1. Objective of the Act

In today’s interconnected world, data plays a pivotal role in shaping decisions and driving actions. Safeguarding information has become very important to governments and regulators due to its significant likelihood of containing personal data, and to ensure that it is not misused. As a result, many countries have enacted laws that ensures data protection is a fundamental human right, and Nigeria is no exception. The nation’s commitment to individual privacy and security is evident in Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) (“the 1999 Constitution”), which explicitly guarantees citizens right to privacy. This provides the foundation for Nigeria’s legal framework on data privacy and protection.

Based on the above, the key objectives of the Act include:

i. safeguarding the fundamental rights and freedoms and the interests of data subjects1 as guaranteed under the 1999 Constitution;

ii. regulating the processing of personal data;

iii. promoting data processing best practices that safeguard the security of personal data and the privacy of data subjects;

iv. protecting the rights of data subjects and providing means of recourse and remedies, in the event of the breach of the data subjects’ rights;

v. ensuring that data controllers/ processors2 fulfil their obligations to data subjects;

vi. strengthening the legal foundations of the national digital economy, and

vii. guaranteeing Nigeria’s participation in regional and global economies through beneficial and trusted use of personal data.