Nigeria gets legal framework for data protection

With the high rate of cybercrime in Nigeria, it has become critical to have a legal framework that can help protect and prevent the information of an individual, government and private organizations from fraudulent activities, hacking, publishing, and identity theft.

One major recent attack was in January 2022 when hackers claimed to have accessed the database of the National Identity Management Commission (NIMC), a government institution that manages the identity of Nigerian citizens, although NIMC later denied the breach.

Little wonder that the Global Cybersecurity Index for 2020 ranked Nigeria 47th out of 182 countries and 4th position in Africa in 2021.

In a bid to provide a legal framework for the protection of personal information, and data practices in Nigeria, President Bola Ahmed Tinubu signed into law the Nigeria Data Protection Bill, 2023.

The new law establishes the Nigeria Data Protection Commission to replace the existing Nigeria Data Protection Bureau, according to the information released by the national commissioner for Nigeria Data Protection Bureau.

While a gazette copy of the law is yet to be publicly available, the law outlines general principles for the processing of personal information, including the processing of sensitive information, data controller obligations, such as breach notifications, the conducting of Data Protection Impact Assessments (DPIAs), and the appointment of a data protection officer (DPO.

It further imposes restrictions on the cross-border transfer of personal information and establishes data subject rights, namely, the right to object, withdraw consent, data portability, and the right not to be subject to a decision based solely on the automated processing of personal data.

It is expected that the law will provide a better foundation for safeguarding personal data and making sure it doesn't end up in the wrong hands as well as criminalizing cross-border transfer of personal data unless it is authorized by law.