The National Information and Technology Development Agency (“NITDA”) recently published the Draft Data Protection Bill 2020 (the “Bill”) for the input of stakeholders. The Bill, if enacted, will be an addition to the laws that govern the use and protection of the data in Nigeria.
The Bill seeks to establish a framework for the protection of personal data particularly to protect data subjects’ data vis-à-vis the use of such data by organisations and security agencies; establish a regulatory authority that will coordinate data protection and privacy issues and have oversight on data controllers and data processors; and ensure that personal data is processed in accordance with NITDA’s data protection principles.
The protections offered in the Bill are similar to those stated in the Nigeria Data Protection Regulation, 2019 (“NDPR”) issued by NITDA which regulate the collection and processing of data. However, the bill includes novel additions and expands on existing data protection rules which we have highlighted below.
Key Changes and Improvements in the Bill
- Scope of the Bill – The Bill builds on the scope of the NDPR by expressly listing the persons and bodies that will be subject to its provisions. These are: persons resident in Nigeria and Nigerian nationals irrespective of residence; public and private companies in Nigeria; unincorporated joint ventures or associations operating in Nigeria; any institution or body which maintains an office, branch or agency through which business activities are carried out in Nigeria; and foreign entities targeting persons resident in Nigeria.
- Categories of Data – The categories of data to be protected are expanded and include personal information such as religious affiliation, sexual orientation, and even trade union memberships. The Bill goes further to protect other personal information such as banking records, academic transcripts, health records, and personal subscription data. It should be noted that what constitutes personal data is not exhaustive under the Bill as it makes a provision for definitions to be included in guidelines to be made by the Data Protection Commission.
- Establishment of Data Protection Commission – The Bill seeks to establish a Data Protection Commission (the “Commission”) to enforce its provisions by regulating the processing of personal information; having oversight over data processors and controllers, amongst others. The powers of the Commission are similar to that of NITDA. It is important that there is a clear delineation of powers between the Commission and NITDA before the Bill is passed into law.
- Rights of a Data Subject – The Bill provides for persons to be notified within 48 hours after a data breach affecting them has been reported by the individual or body in possession of their data (“data controller”) to the Commission. The Bill, however, does not state when or how the data controller is to report to the Commission upon being aware of the breach of the data it controls.
- Penalties for Breach of Data Bill – The Bill strictly penalizes breaches of data by individuals/bodies, data controllers/processors, and staff of the Commission. The Bill provides for fines of up to ₦10,000,000.00 (Ten Million Naira) and imprisonment terms of up to 5 (five) years for persons or bodies convicted under the Bill. The Bill also provides for the forfeiture of assets by convicted persons under the Bill and allows for the compensation of victims of data breaches.
The Bill, on its face, seems to repeat provisions already in the NDPR. It sheds light, however, on protections provided in the NDPR. There are also novel inclusions such as the Data Protection Commission and the significant expansion of penalties for data breaches. The Bill is in draft form and it is expected that NITDA would provide clarity on the questions that arise from the review of the Bill before it is passed into law.