The Data Protection Bill 2020
On the 26th of September 2022, the Chairman Senate Committee on Information Communication Technology (ICT) and Cybercrime, Yakubu Oseni at a one-day sensitization workshop on data protection noted that the Data Protection Bill (“Bill”) will be passed into law by the National Assembly within 30 days of receiving it from the Federal Executive Council (FEC). The Bill is the first of its kind in Nigeria considering that the Nigerian Data Protection Regulation (NDPR) is not an Act of the National Assembly and the NDPR is limited in form and scope to adequately protect the personal data of Nigerians.
Objective of the Bill
The Bill’s objective is to create a regulatory framework for the protection and processing of personal data and to safeguard the rights and freedoms of data subjects which are guaranteed under the Nigerian Constitution. The Bill can be seen as a response to the need for a more effective and comprehensive legal regime for data privacy and protection in Nigeria and may likely bridge the gaps that currently exist in the extant regulatory regime when passed into law
New Provisions of the Bill
Compared to the NDPR, the category of persons covered by the Bill has been expanded and provides more certainty on the application of the Bill. Some of the notable provisions provided for in this bill as opposed to the NDPR are:
- The sale of personal data obtained without proper consent or advertising the data where it was improperly obtained could attract up to 5 years imprisonment upon conviction in addition to a fine.
- The Bill sets out six categories of persons covered by the proposed Act which include Nigerian citizens, Nigerian residents, organizations incorporated in Nigeria, unincorporated joint ventures or associations (businesses) operating partly or wholly in Nigeria; persons who maintain an office, branch or agency through which business activities are carried out in Nigeria; and foreign entities targeting Nigerian residents.
- The Bill also establishes the Data Protection Commission (the “Commission”). The Commission is saddled with the responsibility of implementing and monitoring compliance with the provisions of the Bill, providing the process to obtain, store, process, use or disclose personal information, investigate any complaints arising from non-compliance with the Bill, imposing fines and penalties, to enforce compliance and make regulations necessary for carrying out its functions. The Commission will replace the role that NITDA has played to date in terms of the regulation of data protection.
- Data Controllers are now required to submit their annual data protection audit report on the 30th of March of each year as opposed to 15 March as provided in the NDPR.
- Fixed penalties for non-compliance as against the percentage of annual gross revenue under the NDPR. For instance, knowingly obtaining information, disclosing information to a third party or retaining information without the consent of the data controller can attract a fine of N5 million upon conviction or one-year imprisonment.
- The Bill set out the rights of data subjects to include the right to be notified of data breaches within 48 hours after the Commission is notified of the breach; right of access; rights in respect of automated decision making; right to rectification, erasure and restitution of processing; right to seek judicial remedy; right to prevent the processing of personal data; right to have data processing suspended, among others.
- Compared to the NDPR, the category of data covered by the Bill has been expanded although the Data Protection Commission still has powers to issue guidelines to cover other categories not specifically listed in the Bill. Such other categories of data are usually processed by service providers and commercial entities as may be determined by the guidelines of the Commission.