The NDPR, Reinforcing Data Privacy Rights in Nigeria

The NDPR, Reinforcing Data Privacy Rights in Nigeria

The Nigerian Data Protection Regulation, 2019, also known as the NDPR for short is a data protection law that was recently passed in Nigeria in 2019. In a similar vein to the European Union’s wide-reaching General Data Protection Regulation or GDPR, the NDPR lays out the legal framework that data controllers and processors are required to follow when processing personal data. The NDPR was issued by Nigeria’s National Information Technology Development Agency or NITDA for short for the purposes of reinforcing the right to privacy afforded to Nigerian citizens under the Constitution. As such, the NDPR guarantees Nigerian citizens a multitude of rights as it pertains to the protection of their personal data.

How are data controllers and processors defined under the NDPR?

Under the NDPR, a data controller is defined as “A person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed”. Alternatively, a data processor is defined as “the natural or legal person, public authority, service, commission or any other body which, alone or jointly with others processes personal data on behalf of the data controller”. In terms of the scope and application of the NDPR, the personal scope of the law applies to any individual or entity that collects, processes, stores, uses, or shares the personal data of Nigerian citizens.

Conversely, the territorial scope of the NDPR is applicable to all Nigerian citizens, whether they physically reside within the country or elsewhere. Furthermore, the material scope of the law applies to all forms of personal data that are processed within Nigeria. However, there are some exceptions to this, such as personal data that is processed for the purposes of public safety, morality, security, or interests, as well as data processing that could be used to prevent the detection of a crime or the apprehension or prosecution of an offender within Nigeria. Personal data processing used in the context of the publication of literary or artistic works and materials is also exempt from the provisions of the NDPR.

What are the obligations of data controllers and processors under the NDPR?

Much like the EU’s GDPR law, the NDPR sets forth the following data protection principles that data controllers and processors within Nigeria are required to abide by at all times:

What are the rights of Nigerian citizens under the NDPR?

Under the NDPR, Nigerian citizens are entitled to the following rights as it pertains to their personal privacy and data protection:

What are the penalties for noncompliance under the NDPR?

In terms of the penalties related to non-compliance, the NDPR is enforced through section 2.10 of the law as opposed to a single governing body or data authority. As such, data controllers and processors who violate the law are subject to the following penalties:

Although the Constitution of Nigeria does provide Nigerian citizens with the right to privacy, the NDPR serves as a means to reinforce these rights in a more modern context. As such, the NDPR outlines the obligations that data controllers and processors have as it relates to data processing activities, as well as the punishments that can be imposed as a result of failing to comply with the law. As the EU’s GDPR law continues to influence other privacy legislation around the world, laws such as the NDPR was only sure to become more prominent and widespread. More importantly, however, the NDPR provides comprehensive data protection to Nigerian citizens.

Related Reads