On April 25, 2019, the Nigeria Data Protection Regulation 2019 entered into force.
The Regulation was issued by the National Information Technology Development Agency, NITDA, and it mirrors the EU General Data Protection Regulation (GDPR).
The Regulation’s scope of application is quite broad. It applies to all transactions intended for the processing of personal data (which relate to an identified or identifiable natural person) of natural persons in Nigeria, natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria (this latter is unlike the GDPR).
The Regulation provides for the following legal bases for the processing of personal data: i) consent, ii) necessity; iii) performance of a contract; iv) legal obligation; v) protecting a data subject’s vital interests; or vi) performance of a public interest task.
Also the data subjects’ rights mirror the ones under the GDPR, which include the right be informed and to object to the processing of personal data (also for marketing purposes), to access and obtain information about the processing of their personal data, to have the personal data deleted or corrected, to withdraw consent to the processing, right to data portability and right to seek redress with the NITDA or other administrative bodies.
Transfers of personal data out of Nigeria may take place only subject to the Regulation and provided an adequate level of protection is ensured.
The processing of data by a third party shall be governed by a written contract between the third party and the data controller.
The Regulation also sets forth monetary penalties for violation, in addition to criminal penalties. The monetary sanctions are lower than those of the GDPR but not certainly not insignificant: it provides for “fine up to 2% of annual gross revenue of the preceding year or payment of the sum of 10 million Naira [around $28,000], whichever is greater; or in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira [around $6,000], whichever is greater.”
The Nigeria Data Protection Regulation 2019 is available at https://nitda.gov.ng…
For more information about how foreign privacy rules may impact your US business, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli