On the 12th day of June, 2023, the President of Nigeria enacted the Nigeria Data Protection Bill into law therefore, officially establishing the Nigeria Data Protection Act, 2023. This Act provides a legal framework for safeguarding personal information and implementing data protection in Nigeria.
This article aims to examine the rights of Nigerian citizens under the new Act
SCOPE OF APPLICATION OF THE ACT
By virtue of section 2 of the Act, the Act applies to the processing of personal data, whether by automated means or not where the
- The data controller or data processor is domiciled in, resident in, or operating in Nigeria
- Processing of personal data within Nigeria
- The data controller or data processor is not domiciled in, resident in, or operating in Nigeria but is processing personal data of data subject in Nigeria
RIGHTS OF A DATA SUBJECT
Data controllers and data processors are obligated, under the Act, to implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data in their possession and control. The rights exercisable by data subjects under the Act are discussed below
1. Right to be informed: Any data controller wanting to use, consult or process personal data of data subject must inform the subjects about the processing and its extent timeously.1 This means that companies, institutions, or individuals must tell the data subjects what they are processing and the purpose for such processing in a clear, concise, transparent, and intelligible manner. This is one of the key characteristics of the transparency principle. The information includes the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data will be disclosed, the period of retention, etc.
Privacy statements are one of the major devices used by controllers to provide data subjects with comprehensive information on processing activities and purposes. Privacy policies or notices are documents drafted by controllers to provide data subjects with comprehensive information on an organization's personal data management including collection, use, storage, transmission, and overall handling of data.
2. Right of Access: A data subject has a right to access their data and obtain a copy of their personal data, and other supplementary information from an organization processing personal data, which may or may not include payment of a fee depending on the circumstances of the case provided such access will not infringe on the right of others. This right also finds expression under the principle of transparency2
This right can be exercised through the Data Subject Access Request (DSAR). The DSAR is a request by a data subject in the exercise of his/her data protection right of access to data held by the data controller.
This right gives life to other rights such as rectification, erasure, or objection to further processing. This is because the data subjects first need to gain access before they can erase, rectify or object as the circumstances may require, the Act did not state the form through which the request can be made; it will however suffice if it is written (including through social media) or orally made provided there is a clear intention that the data subject is requesting for his/her personal data. Based on this right, students (DS) can request their school or other institution that has their information to provide such information to them at no cost.
3. Right to rectification of personal data: This right underpins the principle stated in section 24(e) of the Act to wit that "a data controller or data processor shall ensure that personal data is accurate, complete, not misleading, and where necessary, kept up to date...".
This right obliges a data subject confirmation that their personal information is processed by the controllers in an updated version on one hand and also obliges the controller to ensure that personal data is accurate, up to date, or deleted when irrelevant or outdated. Personal data could be in the form of opinions, comments, or the controller's description of certain personal features of a data subject. In Khelili v Switzerland3, where the applicant's occupation was inaccurately recorded as "prostitute" she successfully challenged the inaccurate description.
4. Right to erasure or deletion: This is the right to have negative private information about a person to be removed from internet searches and other directories under some circumstances. It is also known as the right to be forgotten, the right to de-referencing, the right to be de-indexed, or the right to suppression.4 This right is deeply rooted in the notion of self-governance and the self -determination. The rationale behind the right to be forgotten is that it is in the interest of all humanity that people are not adversely judged and or /punished as a result of some old infractions that do not represent their extant interest5
This right is not absolute and only applies in certain unique circumstances such as where:
- the personal data is no longer necessary or in relation to the purposes for which it was collected or processed, or
- the data controller has no other lawful basis to retain the personal data6
5. Right to restriction of processing: It is exercised where a data subject needs to make a decision whether to request rectification or deletion of his information processed by the controller as well as in the event of a conflict between the parties. When this right is still exercised, the data controller can only store data until the data subject decides on further actions or steps to be taken except where the latter consents or the information needed to be processed is for legal claims or protection of others' rights.
This right is not absolute but exercisable in certain circumstances :(a) where the resolution of a request is needed, (b) there is an objection by the data subject, and (c) where there is an establishment, exercise, or defense of legal claims7
For instance, a school website may mistakenly list a DS as a second-class honors student, instead of the first class that such DS actually is. The DS has the right to request the restriction of further processing of personal information pending the verification of the accuracy of the information by the school. This right may serve as an alternative option to the right for erasure and is closely linked to the right for rectification and objection. A DS who challenges the accuracy and seeks rectification of personal data can, at the same time, request restriction of the processing pending such rectification or objection.
6. Right to withdraw consent: A data subject shall be informed prior to giving his/her consent that they possess the similar right to withdraw consent and that it shall be easy to withdraw such consent.8 Although the Act does not specify the mode to withdraw consent, it can however be done in different ways such as a termination of a user account, uninstallation of a game, or ending the usage of a service.
The concept of personal data processing is part of the broader informational self-determination principle and as such everyone should have free will to decide what others can do with their personal information
7. Right to object to processing: Unlike the right to restriction of further processing, this is an absolute right that allows data subjects to object to the processing of their personal data provided such exercise of the right is not exempted by law9. Every user has the right to object to
the processing of their personal data at any material time whether same is with respect to a particular personal data or all of their personal data
Under the Act, the data subject has the general right to object to the processing of their data, particularly for the purpose of marketing while the data controller has the responsibility of providing a free mechanism for the objection. Thus, the objection can be expressed in any form, oral or in writing including social media, and conveyed to any organization10
8. Right in relation to automated decision making and profiling: The Act confers the right generally on a data subject not to be subjected to a decision based solely on the automated processing of personal data.11 Automated individual decision making is a decision made by automated means without any human intervention such as the online decision to award a loan or a recruitment aptitude test. While automated decision always involves profiling, it does not always have to be.
Profiling in this context has been defined as any form of automated processing of personal data consisting of the use of personal data of DS to evaluate certain personal attributes or features in relation to his standards/characteristics of living for the purpose of predicting the preferences of his economic, social, health, religious, political choices and general personal interests and concerns.
The Act, however, requires a data controller, prior to processing of data, to inform the data subject of the existence of automated decision making, including profiling, and in those cases, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for data subjects. Therefore, controllers are restricted from conducting automated decisions including profiling that portends certain significant effects on individuals without their consent. This general principle does not apply in the following circumstance where the decision is: a) necessary for entering into or the performance of a contract between the data subject and a data controller; b) authorized by a written law, which establishes suitable measures to safeguard the fundamental rights and freedoms and the interests of the data subject.12
9. Right to lodge a complaint with the Commission: Data subjects have a right to lodge a complaint to the Nigeria Data Protection Commission when aggrieved with the action of a data controller. The Commission will investigate the complaint and where satisfied that the data controller is in breach of the provisions of the Act, the Commission will make the appropriate compliance order against the data controller.
10. Right to data portability: Data portability simply means the ability to transfer data from one IT system or computer to another through a safe and secure means in a standard format. 13
This allows the data subject to manage and reuse their personal data for their own purposes across different services on multiple interoperable platforms
In exercising this right, data subjects have the right to receive from the data controller, personal data concerning them in a structured, commonly used, and machine-readable format and to transmit these data to other controllers without hindrance.
CONCLUSION
The Nigeria Data Protection Act is indeed welcome legislation regardless of any flaw or uncertainty it might have. From the examination of the Act, data controllers and data processors are given a higher responsibility to match the high level of accountability that is expected of any organization entrusted with the personal data of data subjects. An important question that comes to mind that the NDPA has failed to address is whether the Act repeals the Nigeria Data Protection Regulation 2019 (NDPR). Though there is no specific provision that mentions the repeal of the NDPR in the Act, however, on a careful reading of the transitional provisions in Section 64 of the Act, it mandates that all orders and regulations made or issued by NITDA and the NDPB to continue to be in force until they either expire or are repealed. Therefore, it can be rightfully assumed that the NDPR is not repealed by the Act.
Footnoes
1 Section 34 (1a-iv), Nigeria Data Protection Act, 2023
2 Section 34b, Ibid
3 Olumide Babalola, "Privacy and Data Protection Law in Nigeria", pg. 158
4 Ibid.
5 Olumide Babalola, "Casebook on Data Protection", pg. 454.
6 Section 34 (2a & b), Nigeria Data Protection Act, 2023.
7 Section 34 (e (i)-(iii) ), Ibid.
8 Section 35, Nigeria Data Protection Act, 2023
9 Section 36 (1 & 2), Ibid
10 Section 36 (3 & 4), Ibid.
11 Section 37, 1bid
12 Section 37 (2a-c), Ibid
13 Section 38, Ibid
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
