New Legislative Standards for Data Processing In Niger

Niger’s Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law, also known as the Law for short, is a data protection and personal privacy law that was recently passed in Niger in 2017. As the rights to personal data and privacy have become a growing concern throughout the continent of Africa in the past few years, as evidenced by the passing of laws such as Kenya’s Data Protection Act 2019 and Zimbabwe’s Cybersecurity and Data Protection Bill of 2019, Niger has also taken to passing their own comprehensive data privacy law. As such, Law No. 2017-28 of 3, May 2017 on the Protection of Personal Data Law establishes the legal grounds for which personal data may be collected and processed within the country of Niger.

How are data controllers and processors defined under Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law?

Under Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law, a data controller is defined as “a subcontractor, individual or, public or private legal entity, any other agency or association which processes data for the person in charge of the treatment”. Alternatively, a data processor is defined as a “natural or legal person, public or private, any other agency or association which, alone or jointly with others, takes the decision to collect and process personal data and determine the purposes thereof”. Furthermore, personal data is defined as “any personal data that reveals directly or indirectly, racial and ethnic, origins, political, philosophical or religious opinions or trade union affiliation of persons, or that concern their health or sexual life or social measures, prosecution, criminal or administrative sanctions”.

In terms of the scope and application of the law, the personal scope of Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law applies to any collection, processing, storage, use, or transmission of personal data within Niger. Conversely, the Law has no extraterritorial scope, as its various provisions and requirements only apply to data subjects within Niger, while the material scope of the Law applies to the following types of data processing:

• Any collection, processing, storage, use, or transmission of personal data conducted by an individual within Niger, or local and state authorities.
• “Any automated or non-automated processing of data provided or to appear in a file”.
• Any data processing that takes place in Niger.
• Any processing of personal data that relates to defense, public security, research, state security, or the prosecution of criminal offenses.

What are the requirements of data controllers and processors under Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law?

In a manner similar to that of the European Union’s General Data Protection Regulation or GDPR, Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law establishes a variety of principles as it pertains to the collection, processing, use, and transmission of personal data. These principles include:

• The principles of lawfulness, fairness, transparency– Personal data must be collected and processed in a manner that is consistent with the principles of lawfulness, fairness, and transparency.
• The purpose principle– Personal data may only be collected or processed for explicit, specific, and legitimate purposes, and the collection and processing of personal data for any reasons other than these purposes is prohibited.
• The principles of proportionality– All personal data that is collected and processed must be relevant, adequate, and not excessive in relation to the purposes for which said personal data was collected or processed. Data controllers and processors are prohibited from collecting or processing any more personal data than they need to fulfill their stated purposes.
• The principle of accuracy– All personal data that is collected and processed must be accurate, as well as updated when necessary. Data controllers and processors are responsible for taking appropriate steps to ensure that any incorrect or incomplete personal data within their possession is either erased or rectified.

What are the rights of data subjects under Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law?

Under Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law, data subjects within Niger are entitled to the following rights with respect to the protection of their data and personal privacy:

• The right to be informed– Data subjects have the right to be informed of the identity of a data controller or processor, the categories of personal data that are to be collected and processed, as well as specific purposes for collection and processing, among other various details.
• The right to access– Data subjects have the right to confirm the processing of their personal data, as well as access a copy of their personal data that they have supplied to a data controller or processor.
• The right to rectification– Data subjects have the right to request that a data controller or processor rectify, complete, update, block or delete any personal data pertaining to them, permitting said personal data has been found to be inaccurate or incomplete.
• The right to erasure– Data subjects have the right to request that a data controller erase and cease the dissemination of their personal data, under certain circumstances, such as instances in which their personal data is no longer needed with respect to the purposes for which it was collected and processed.
• The right to object or opt-out– Data subjects have the right to object or opt-out of the collection and processing of their personal data for prospective purposes, as well as to be informed of the transfer of their personal data to a third party prior to said transfer, should this wish to object.

What are the penalties for violating Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law?

In terms of violations in relation to non-compliance with the law, Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law is enforced by the High Authority for the Protection of Personal Data or HAPDP for short. To this end, the HAPDP has the power to issue the following monetary and administrative penalties:

• “To issue a warning to the data controller who does not comply with the obligations of the Law”.
• “To issue a formal notice to put an end to the breaches within a fixed period”.
• “To issue a provisional withdrawal of the authorization granted by HAPDP”.
• “To issue a permanent withdrawal of the authorization”.
• A monetary fine ranging from XOF 20 million ($34,727) to XOF 40 million ($69,455)
• A term of imprisonment ranging from three to five years.

As many nations around the world have taken steps to guarantee the data privacy rights of their respective citizens through legislative means in the past decades, the country of Niger has made similar efforts through the passing of Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law. As such, the legal basis set forth by the law ensures that the collection, processing, use, storage, and transmission of personal data with Niger is regulated in accordance with strict provisions. More importantly, however, it also establishes the punishments that data controllers and processors within Niger stand to face should they fail to uphold the data protection and privacy rights of the citizens of their nation.