Nigeria Data Protection Bill: What it means for Nigerians

The Federal Executive Council (FEC) has approved the passage of the Nigeria Data Protection Bill to the National Assembly for further deliberations. The bill will be transmitted through the office of the Attorney General and Minister of Justice of the Federation.

During Wednesday’s FEC meeting, the Minister of Communications and Digital Economy, Isa Pantami, disclosed this. According to the Minister,  the bill, when passed into law, will ensure the privacy and confidentiality of data being submitted to the government and other institutions. 

The Nigeria data protection bill seeks to give Nigerians full legal backing in protecting their data and will replace the current Nigeria Data Protection Regulation (NDPR). Recall President Muhammadu Buhari approved the establishment of the Nigeria Data Protection Bureau on the 4th of February 2022.

The Bureau was mandated to study and implement the Nigeria Data Protection Regulation (NDPR) and to coordinate the passage of an enabling Act for data protection.

Before the presentation of the bill by Prof. Pantami, the National Assembly had assured the National Data Protection Bureau, a subsidiary of the National Information Technology Development Agency (NITDA),, of the bill’s speedy passage within 30 days of receiving it from the FEC. 

However, given the upcoming elections and the electioneering campaigns that the country is witnessing, it is left to be seen whether the 30 days promise of passage by the legislators will become a reality.

Read also: Will FG’s Decision to Transfer NIMC to Ministry of Communications Solve the National Identity Challenges?

What we know about the bill

The draft of the bill was first introduced and presented to the Minister of Communication and Digital Economy, prof. Isa Pantami in October last year by the National Data Protection Bureau.

Before the bill being introduced, Nigeria had the Nigeria Data Protection Regulation (NDPR), which the Data Protection Bureau is enforcing. The regulation has faced several criticisms from experts who have questioned the lack of the compelling power of the law to ensure the protection of data in the government’s care.

Hence, the clamour for a substantive law that will guide data handling across all levels in the country.  

Specific provisions of the data protection bill and implication

According to the statement contained in the document, signed by the Head of Legal, Enforcement & Regulations, NDPB, Barr Babatunde Bamigboye, “The central objective of the Bill is to safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999, by providing for the regulation of the processing of personal data;

“Promoting data processing practices that safeguard the security of personal data and privacy of data subjects; ensuring that personal data is processed in a fair, lawful and accountable manner.” This is a welcome development as the bill provides the power for the Commission to licence a body to carry out data protection compliance services and to impose sanctions on data processing bodies.

“Protecting data subjects’ rights as well as providing means of recourse and remedies in the event  of the breaches; ensuring that data controllers and data processors fulfil their obligations to data subjects;

While the bill aims to safeguard the fundamental rights, freedom, and interests of data subjects, it does not explain the rights of data subjects, how the rights can be exercised, the process of exercising the rights, and limitations to the exercise of the rights. According to this appraisal, the Bill provides a more comprehensive approach to the rights of the data subjects (compared to the NDPR), it is still not encompassing when compared to the EU GDPR.

Also, it is great that the Bill provides a detailed data breach management procedure. The data controller may extend the known seventy-two-hour reporting period to accommodate the legitimate needs of law enforcement or as reasonably necessary to implement measures required to determine the scope of the breach,

The data controller and data processor are also mandated to keep a record of all personal data breaches.

Establishing an impartial, independent and effective regulatory Commission to superintend over data protection and privacy issues and supervise data controllers and data processors.”

Finally, “Strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial trusted use of personal data.”

Establishment of a Data Protection Commission

Although a Bureau created by NITDA presently oversees data protection, the law calls for the creation of a substantive agency, the Nigeria Data Protection Commission (NDPC). According to section 7 of the bill, the functions of the commission are:

• Ensuring the deployment of technological and organizational measures to enhance personal data protection.
• Promoting public awareness and understanding of personal data protection and the risks to personal data, including the rights granted and obligations imposed under the Act.
• Promoting awareness of data controllers and processors’ obligations under the Act. 
• Fostering the development of personal data protection technologies in accordance with recognized international good practices and applicable international law.

An independent and effective regulatory commission to oversee data protection and privacy issues and supervise data controllers and data processors within the private and public sectors is a major win for Nigeria.

However, a review of the composition of the governing council of the Commission shows a heavy reliance on the executive arm of government as the appointment and removal of the members lie on the President’s prerogative.

Also, the commission has to submit legislative proposals to the Minister of Communication and Digital economy, including amending existing laws, to strengthen personal data protection in Nigeria. It can make regulations on any matter that the Minister considers necessary. This implies that the Minister (and the executive arm of government ) greatly influences the commission, throwing the commission’s independence in doubt.

Permission for processing sensitive data

The Bill introduces specific guidelines for the processing of sensitive personal data. In particular, the bill forbids data controllers or processors from processing sensitive personal data themselves or allowing a processor to handle it on their behalf unless one of the exceptions in Section 32(1) applies. The exceptions are:

1. The data subject has given and not withdrawn their consent to the processing for the specific purpose or purposes for which it will be processed. 
2. The processing is necessary for exercising or performing the rights or obligations of the data controller or the data subject to underemployment or social security laws or any other similar laws. 
3. The processing is necessary to protect the vital interests of the data subject or of another individual where the data subject is physically or legally incapable of giving consent. 

The new rules for processing personal data are an improvement on the NDPR. The new bill also states the lawful basis for processing sensitive personal data. The commission can also consider if a data set can be categorized as sensitive personal data, further grounds for processing such personal data, and safeguards that may apply.

Protection for Minors

Section 33 of the bill outlines guidelines for legally acquiring children’s permission. The Bill specifically states that the data controller must obtain the consent of the child’s parent or other appropriate legal guardian and use appropriate mechanisms, such as the presentation of government-approved identification documents, to verify the child’s age and consent.

However, the bill does not require approval or consent from the minor’s parents where “Processing is necessary to protect the vital interests of the child or individual lacking the legal capacity to consent, or the processing is carried out for purposes of medical or social care and is undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality.” 

Read also: 5 things to know about the NITDA ‘Code of Practice’