Nina Jojer
A Review of the Data Protection Act 2020: Strengths and Weaknesses
Tech and Innovations
Published on 2023-07-19
Data Privacy, Data Protection, Innovation
Executive Summary
This Policy Brief reviews the Data Protection Act 2020 (the Act), which protects the rights of individuals regarding their personal data. The Act has some positive aspects, such as expanding the definition of the data controller, including legitimate interest assessment, and recognizing the right to withdraw consent. It also has some areas of improvement, such as clarifying some key terms and concepts, resolving the ambiguity on the right to data portability, and harmonising with the existing regulations. The brief concludes with some recommendations for enhancing the effectiveness and compliance of the Act, such as providing clear definitions and guidelines, establishing a robust mechanism for cross-border data transfers, and repealing or amending the National Data Protection Regulation 2019.
Introduction
The Act establishes the Data Protection Commission (the Commission) to protect personal data, regulate data processing, and safeguard data subjects' rights. The Act aims to create a framework for personal data protection, especially for data subjects whose data is used by organisations and security agencies. It also aims to establish a regulatory authority that will coordinate data protection and privacy issues and oversee data controllers and processors.
The Act is based on six data protection principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; and confidentiality and integrity. It grants several rights to data subjects, such as the right to be informed, the right to access, the right to rectification, the right to erasure, the right to object, and the right to data portability.
The Act also emphasises obtaining informed and specific consent from data subjects before processing their personal data. Consent must be freely given, unambiguous, and revocable at any time. Entities processing personal data must implement appropriate technical and organisational measures to ensure the security and confidentiality of the data. When transferring personal data outside Nigeria, organisations must ensure that the receiving country provides an adequate level of data protection or put in place appropriate safeguards to protect the data.
This policy brief reviews the various sections in the Act with emphasis on its strengths and weaknesses.
Positive Aspects of the Act 💡
The Act has some positive aspects that enhance the protection of personal data and align with international best practices. Some of these aspects are:
-
Definition of Data Controller: The term ‘data controller’ includes individuals and private entities who process personal data for non-personal purposes. This expands its scope and application compared to the previous regulation, which only applied to public institutions or private organisations (Section 65)
-
Contents of Data Processing Agreement: The Act specifies what controllers should instruct processors to do in addition to requiring a written contract between them. This ensures clarity and accountability in their roles and responsibilities (Section 29).
-
Right to Withdraw Consent: The Act grants data subjects the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. This empowers data subjects to exercise control over their personal data (Section 35).
-
Principle of ‘Availability of Personal Data’: The Act includes ‘availability of personal data’ into the confidentiality and integrity principle. This creates a duty for controllers to provide personal data in their custody when requested by data subjects or other authorised parties (Section 24(2)).
-
Legitimate Interest Assessment: The Act recognizes legitimate interest as a lawful basis for processing personal data under certain conditions. It also provides a framework for assessing whether such interest outweighs the rights and freedoms of data subjects (Section 24(1)(b)(v)).
-
Designation of Sensitive Personal Data by the Commission: The Act grants the Commission discretion to expand the list of sensitive personal data under the Act based on its assessment of potential risks or harms to data subjects (Section 30(2)).
Areas of Improvement
The Act also has some areas that need improvement or clarification to ensure its effectiveness and compliance. Some of these areas are:
-
Lack of Definition of Key Terms: The Act fails to define some essential terms that are relevant for its interpretation and application, such as anonymization, cross-border transfer, data portability, vital interest, genetic data, profiling, and third-party, to name a few. These terms were defined under the National Data Protection Regulation 2019 (NDPR), which was issued by the National Information Technology Development Agency (NITDA) as a stopgap measure before the enactment of the Act. The lack of definition of these terms creates ambiguity and confusion for stakeholders, who may have to resort to foreign sources or jurisprudence for guidance.
-
Ambiguity on the Right to Data Portability: The Act suggests that data subjects are entitled to the right to data portability, which allows them to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller without hindrance. However, the Act also empowers the Commission to ‘establish’ the right and provide conditions under which it can be exercised. This implies that the right is not fully recognized or operationalized by the Act and may be subject to further limitations or restrictions by the Commission (Section 38).
-
Need for Harmonization with Existing Regulations: The Act does not explicitly repeal or amend the NDPR, which was issued by NITDA in 2019 and is currently in force. The NDPR has some provisions that are inconsistent or incompatible with the Act, such as the definition of the data controller, the scope of application, the penalties for breach, etc. This creates a potential conflict or overlaps between the two regulations, which may affect the compliance and enforcement of data protection in Nigeria (Section 64(2)(f)).
Recommendations
Based on the above analysis, the following recommendations are proposed for enhancing the effectiveness and compliance of the Act:
-
Provide clear definitions and guidelines for key terms and concepts that are relevant for data protection, such as anonymization, cross-border transfer, data portability, vital interest, genetic data, profiling, and third party, just to name a few. This will ensure clarity and consistency in the interpretation and application of the Act and avoid ambiguity and confusion for stakeholders.
-
Establish a robust mechanism for cross-border data transfers that ensures an adequate level of data protection in the receiving country or provides appropriate safeguards to protect the data. This will facilitate the free flow of personal data across borders while respecting the rights and interests of data subjects.
-
Repeal or amend the NDPR to harmonise it with the Act and avoid any conflict or overlap between the two regulations. This will ensure a single and coherent legal framework for data protection in Nigeria and enhance compliance and enforcement. This will provide a single legal framework for Data Protection in the country and will eliminate recourse to the NDPR.
For the Private sector, the following recommendations will suffice
-
Registering with the NDPC as a data controller or a data processor is of major importance.
-
Appoint a data protection officer (DPO) who will be responsible for overseeing compliance with the DPA and liaising with the NDPC.
-
Conduct a data protection impact assessment (DPIA) to identify and mitigate any risks associated with their personal data processing activities.
-
Develop and implement a clear and comprehensive data protection policy that informs data subjects about their rights and obligations under the DPA.
-
Obtain valid and informed consent from data subjects before collecting or processing their personal data, unless another lawful basis applies.
-
Respect the rights of data subjects to access, rectify, erase, restrict, object, and port their personal data upon request.
-
Implement appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of personal data, and to prevent unauthorised access, disclosure, alteration, or destruction.
-
Notify the NDPC and the affected data subjects promptly in case of any personal data breach that poses a risk to their rights and freedoms.
-
Seek approval from the NDPC before transferring any personal data outside Nigeria unless an adequacy decision or an exception applies.
-
Engage only reputable and reliable data processors who can guarantee compliance with the DPA and enter a written contract that specifies their roles and responsibilities.
Conclusion
The Data Protection Act 2020 is a welcome development that aims to provide a comprehensive and effective framework for personal data protection in Nigeria. It has some strengths that enhance the rights of data subjects and align with international best practices. However, it also has some weaknesses that need improvement or clarification to ensure its effectiveness and compliance. The policy brief has provided some recommendations for addressing these weaknesses and enhancing the Act.