The NDPR, Reinforcing Data Privacy Rights in Nigeria

The Nigerian Data Protection Regulation, 2019, also known as the NDPR for short is a data protection law that was recently passed in Nigeria in 2019. In a similar vein to the European Union’s wide-reaching General Data Protection Regulation or GDPR, the NDPR lays out the legal framework that data controllers and processors are required to follow when processing personal data. The NDPR was issued by Nigeria’s National Information Technology Development Agency or NITDA for short for the purposes of reinforcing the right to privacy afforded to Nigerian citizens under the Constitution. As such, the NDPR guarantees Nigerian citizens a multitude of rights as it pertains to the protection of their personal data.

How are data controllers and processors defined under the NDPR?

Under the NDPR, a data controller is defined as “A person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed”. Alternatively, a data processor is defined as “the natural or legal person, public authority, service, commission or any other body which, alone or jointly with others processes personal data on behalf of the data controller”. In terms of the scope and application of the NDPR, the personal scope of the law applies to any individual or entity that collects, processes, stores, uses, or shares the personal data of Nigerian citizens.

Conversely, the territorial scope of the NDPR is applicable to all Nigerian citizens, whether they physically reside within the country or elsewhere. Furthermore, the material scope of the law applies to all forms of personal data that are processed within Nigeria. However, there are some exceptions to this, such as personal data that is processed for the purposes of public safety, morality, security, or interests, as well as data processing that could be used to prevent the detection of a crime or the apprehension or prosecution of an offender within Nigeria. Personal data processing used in the context of the publication of literary or artistic works and materials is also exempt from the provisions of the NDPR.

What are the obligations of data controllers and processors under the NDPR?

Much like the EU’s GDPR law, the NDPR sets forth the following data protection principles that data controllers and processors within Nigeria are required to abide by at all times:

• Transparency– Data controllers and processors are obligated to provide data subjects with information related to data processing in a transparent, intelligible, concise, and easily accessible format that makes use of clear and plain language.
• Purpose and limitation– Data controllers and processors are responsible for specifying the purposes for the collection and processing of personal data in their privacy policy.
• Limitation– “The provisions of the NDPR are sacrosanct and no limitation clause in a privacy policy will exonerate a data controller from liability for violating the NDPR.”
• Accuracy– All personal data that is collected and processed is expected to be accurate and without prejudice to the dignity of Nigerian citizens.
• Storage limitation– Data controllers and processors are responsible for outlining the time period for which the personal data will be stored in their privacy policy. In instances where this is not possible, data controllers and processors must instead outline the criteria that determine how long a data subject’s personal data will be stored.
• Confidentiality– Data controllers and processors must implement a security apparatus to ensure that all personal data in their possession remain confidential and protected from potential attacks.
• Accountability– Data controllers and processors who have been entrusted with personal data on behalf of data subjects are responsible for their acts and omissions as it relates to data processing, in accordance with the provisions of the NDPR.

What are the rights of Nigerian citizens under the NDPR?

Under the NDPR, Nigerian citizens are entitled to the following rights as it pertains to their personal privacy and data protection:

• The right to be informed of the collection and processing of their personal data.
• The right to file a complaint or send a request to a data controller or processor for the purposes of exercising their rights under the law.
• The right to obtain information regarding the personal data that a data subject has provided to a data controller or processor, free of charge, except as otherwise provided by public policy or other regulations.
• The right to know the details of a data controller or processor.
• The right to withdraw consent.
• The right to access their personal data.
• The right to data portability.
• The right to rectification.
• The right to object to or restrict the processing of their personal data.
• The right to be informed of instances in which their personal data is being processed for additional purposes outside of what was originally stated at the time of collection.
• The right to be informed about the transfer of their personal data to another country.
• The right to request that their personal data be deleted.
• The right to file a complaint to relevant authorities.

What are the penalties for noncompliance under the NDPR?

In terms of the penalties related to non-compliance, the NDPR is enforced through section 2.10 of the law as opposed to a single governing body or data authority. As such, data controllers and processors who violate the law are subject to the following penalties:

• A “fine of 2% of the annual gross revenue of the preceding year or payment of the sum of NGN 10 million” ($25,028), whichever is greater, for cases dealing with more than 10,000 data subjects.
• A “fine of 1% of the annual gross revenue of the preceding year or payment of the sum of NGN 2 million” ($4,889), whichever is greater, for cases dealing with less than 10,000 data subjects.
• Criminal liabilities include a prison sentence of up to two years.

Although the Constitution of Nigeria does provide Nigerian citizens with the right to privacy, the NDPR serves as a means to reinforce these rights in a more modern context. As such, the NDPR outlines the obligations that data controllers and processors have as it relates to data processing activities, as well as the punishments that can be imposed as a result of failing to comply with the law. As the EU’s GDPR law continues to influence other privacy legislation around the world, laws such as the NDPR was only sure to become more prominent and widespread. More importantly, however, the NDPR provides comprehensive data protection to Nigerian citizens.