President Bola Ahmed Tinubu of Nigeria has taken a significant step in safeguarding citizens' personal data by signing the Data Protection Bill 2023 into law.
The bill, initially proposed by former President Muhammadu Buhari, aims to provide legal protection for personal data both online and offline within the country.
In the digital age, where technological advancements and the widespread use of the internet have become integral parts of our daily lives, the Data Protection Bill is necessary to address the growing concerns regarding the privacy and security of personal data.
Here are the key provisions of the bill:
1. Protection of Personal Data: The Data Protection Act aims to safeguard personal data and prevent unauthorised access or misuse. It establishes measures to ensure that personal information is adequately protected and not disclosed to unauthorised individuals.
2. Cross-Border Data Transfers: The law prohibits the transfer of personal data across national borders without express legal permission. This provision aims to prevent personal data from being sent to jurisdictions that do not offer adequate data protection standards.
3. Establishment of Nigerian Data Protection Commission: The Act establishes the Nigerian Data Protection Commission, which replaces the existing Nigerian Data Protection Bureau. This commission will have the authority to enforce and oversee compliance with the data protection regulations.
4. Processing of Personal Information: The law sets out general principles and rules for the processing of personal information. It outlines the conditions under which personal data can be collected, used, stored, and shared. It includes provisions on consent, purpose limitation, data minimisation, accuracy, and accountability.
5. Sensitive Information Processing: The Act addresses the processing of sensitive personal information, such as biometric data, health records, religious beliefs, and political affiliations. It imposes stricter requirements for the handling of sensitive data to ensure enhanced privacy protection.
6. Data Controller Obligations: The legislation places responsibilities on data controllers, who are entities or individuals that determine the purposes and means of processing personal data. It mandates data controllers to comply with certain obligations, including notifying data breaches, conducting Data Protection Impact Assessments (DPIAs), and designating a data protection officer (DPO) in certain circumstances.
7. Data Subject Rights: The Act grants individuals certain rights concerning their personal data. These rights include the right to object to the processing of their data, the right to withdraw consent, the right to data portability, and the right not to be subjected to decisions based solely on automated processing of personal data.