The document discusses data protection regulations in Nigeria. It notes that Nigeria previously lacked comprehensive data privacy laws, relying mainly on constitutional protections. A new Data Protection Act was passed in 2019 to regulate personal data collection and establish rights for data subjects. The act requires lawful collection of accurate data with user consent and limits on storage duration. It aims to safeguard privacy and enable a competitive digital economy in Nigeria. However, challenges remain in awareness, enforcement, and capabilities to properly implement the new legislation.
Unraveling Multimodality with Large Language Models.pdf
Data Protection Act 2019 Enhances Privacy in Nigeria
1. Enhancing Data Protection and Privacy in
Nigeria through the Data Protection Act
2019
GSMA – Principles of Mobile Privacy
June 2019
Chukwuemeka Nzeih
Digital Bridge Institute
Abuja - Nigeria
2. Introduction
Data Protection Regulations are aimed at regulating the collection, collation,
storage and processing of personal data by private, public and government
entities, as well as safeguarding information of individuals obtained through such
digital processes.
Such regulations also aims to achieve the concepts of Confidentiality, Integrity and
Availability.
Nigeria has lagged behind in the development of a regulatory framework for data
protection, as there has been a dearth of data protection laws in the country.
Hitherto, the void created by the lack of data protection laws was filled, albeit
inadequately by the Constitution of the Federal Republic of Nigeria, 1999 (as
amended) (the “Constitution”). Aggrieved persons sought refuge in Section 37 of
the Constitution
Various stakeholders have clamoured for a comprehensive data protection
framework and law.
In January 2019, the Nigeria Data Protection regulation was developed by the
3. The Need for Data Protection Law in Nigeria
https://youtu.be/krvDnUU_zzg
4. Data Privacy in Nigeria Pre-2019
Prior to the year 2019 there was no specific
law for data protection in Nigeria.
there is no other law that sets out detailed
provisions on the protection of the privacy
of individuals in Nigeria.
People rely on Section 37 of the Constitution
which provides that: "The privacy of
citizens, their homes, correspondence,
telephone conversations and telegraphic
communications is hereby guaranteed and
protected".
5. Industry Specific Data Regulation Privacy in Nigeria Pre-2019
Some Industry specific regulation existed for limited privacy within some
sectors. Examples are;
The Nigerian Communication Commission (NCC) Consumer Code of Practice
Regulations 2007 which provides all licensees must take reasonable steps to
protect customer information against "improper or accidental disclosure"
and must ensure that such information is securely stored.
This regulations also states that the customer information must “not be
transferred to any party except as otherwise permitted or required by other
applicable laws or regulations”.
The NCC Regulations applies to all customer information relating to
customers of any nationality that use a licensee’s network in Nigeria
https://www.ncc.gov.ng/docman-main/legal-regulatory/regulations/102-consumer-code-of-practice-regulations-1/file
6. Industry Specific Data Regulation Privacy in Nigeria Pre-2019
The National Information Technology Development Agency (NITDA) which is the
national authority that is responsible for planning, developing and promoting
the use of information technology in Nigeria issued a guidelines on data
protection (the “NITDA Guidelines“).
The NITDA Guidelines recommends the minimum data protection requirements
for the collection, storage, processing, management, operation, and technical
controls for information and is currently the only set of regulations that
contains specific and detailed provisions on the protection, storage, transfer or
treatment of personal data.
The NITDA Guidelines apply to government agencies at all strata as well as
private sector organisations that own, use or deploy information systems of in
Nigeria, and also apply to organisations based outside Nigeria if such
organisations process personal data of Nigerian residents.
https://www.uubo.org/media/1337/data-privacy-protection-in-nigeria.pdf
7. Industry Specific Data Regulation Privacy in Nigeria Pre-2019
The NITDA Guidelines defined “personal data”
as: “any information relating to an identified
or identifiable natural person (data subject);
information relating to an individual, whether
it relates to his or her private, professional or
public life. It can be anything from a name,
address, a photo, an email address, bank
details, posts on social networking websites,
medical information, or a computer’s IP
address”.
https://www.uubo.org/media/1337/data-privacy-protection-in-nigeria.pdf
8. Effect of Absence of Data Protection Law
The absence of a comprehensive data protection law led to the prevalence of
following;
1. Prosecutorial Challenge;
2. Inability to combat cyber crime related to identity theft and data
breaches;
3. Inability to regulate the distribution of private data such as GSM Numbers
of subscribers by mobile operators;
4. The use of personal data for a different purpose for which it was
collected;
5. Repeated data breaches without repercussions.
6. Lack of effective security for data.
10. a) Safeguarding the rights of natural persons to data privacy;
b) Fostering safe conduct of transactions involving the exchange of personal
data;
c) Preventing manipulation of personal data; and
d) ensuring that Nigerian businesses remain competitive in international trade
through the safeguards afforded by a just and equitable legal regulatory
framework on data protection and which regulatory framework is
consistent with global best practices.
Key tenets of a National Data Protection Law
11. Benefits of Nigeria Data Protection Regulation 2019
https://youtu.be/DQ1Q9BORaOk
12. 1. Privacy Policy
2. Data Security
3. Third Party Data Processing Contracts
4. Data Protection Compliance Organisations
5. Data Subject Right of Objection
6. Penalty for default.
Key Contents of Nigeria Data Protection Regulation 2019
13. Key Players under the Data Protection Act 2019
Data
Subject
Data
Controller
Data
Processor
the person whose
identity is or may
be revealed from
the data;
Any person/corporate
who determines the
purpose and manner
for processing the
data; and
any person/corporate
who processes the data
in any form e.g. storing,
reproduction,
modification
14. 1. Data must be collected and processed for lawful purposes with the consent of the
Data subject.
2. Data collected shall be adequate, accurate and without prejudice to the dignity of
human person.
3. Data shall be stored only for a certain period.
4. The Duty of Care and Accountability in respect of all personal data
Some stipulations of the Nigeria Data Protection Act 2019
15. Where consent (evidenced by an affirmative action) is given by the data subject;
where the data subject is a party to a contract and the processing is
necessary for the contract’s performance or to take steps at the request of
the Data Subject before entering into the contract;
where the processing is necessary for compliance with a legal obligation
to which the Data Controller is subject;
where processing is necessary in order to protect the vital interests of the
Data Subject or of another natural person, and;
where processing is necessary for the performance of a task carried out in
the public interest or in exercise of official public mandate vested in the
data controller.
Instances for Lawful Processing of Data
16. Implementation Challenges of the National Data Protection Regulation
Very low awareness level.
Weak Implementation and compliance Mechanism.
Slow judicial and litigation process for prosecuting offenders.
Lack of effective IT surveillance personnel and equipment.
17. Conclusion
The Nigeria Data Protection Regulations is a giant leap and a step
forward in promoting data privacy and protection in Nigeria.
The Regulation will help control the incessant cases of data breaches
in Nigeria.
To achieve the objectives of the regulations user will need to be
continuously educated on about protecting their personal
information and advocate for the use of Privacy Enhancing
Technologies.
A Multistakeholder approach will be the best fit in pursuing the
attainment of the dictates of this regulation.