Data is considered one of the world’s most valuable assets. The growth spurt of technology, the emergence of big data, and the mass volumes of data generation, processing, and online storage have created concerns for governments, businesses, and individuals regarding data protection and privacy. This is especially true as markets have emerged where personal data are being mined and used for nefarious purposes.

The Nigeria Data Protection Act 2023 marked substantial progress towards a comprehensive data protection regime.  This write-up highlights the scope of consent available to a data subject, the rights of a data subject over the processing and storage of their personal data, and remedies available where there is a breach of their rights as prescribed by the Act.

Key Definitions

Personal Data – Refers to any information directly or indirectly identifiable/relatable to individuals.

Data Subject – This refers to individuals whose personal data are collected and processed.

Data Processor – This refers to an organisation, agency, individual, or body that processes personal data on behalf of a data controller or another processor.

Data Controller – This refers to an organisation, individual, or body that, solely or jointly with others, determines the purpose or mode of processing personal data.

Data processing – Encompasses an operation or set of operations performed on/ with personal data by manual or automated means.

The Scope Of Consent In The Nigeria Data Protection Act 2023

In controlling or processing the personal data of individuals, data controllers and data processors are guided by several principles, one of which is the principle of consent. Consent refers to a data subject’s specific, unambiguous, written, or oral statement or affirmative agreement allowing a data controller to process their personal data or another individual’s data for which they had obtained consent.

For a data controller or processor to deal or interfere with an individual’s data, consent must be obtained. Section 25 of the NDPA provides thus: “Data processing shall only be lawful where data subject has given and not withdrawn consent for the specific purpose or purposes for which personal data is to be processed.”

The effect of this provision is that, for data processing to be lawful, consent must have been sought and given freely and intentionally by a data subject. The burden of proof for establishing a subject’s consent resides on the data controller, and the silence or inactivity of the data subject shall not substitute for consent. The Act also provides that a data subject must be informed of the right and method to withdraw their consent at any time. Instances where consent would not be a requirement for a data controller/data processor to process data include:

1. For the performance of a contract to which the data subject is a party or to enter a contract on the data subject’s request.
2. To comply with a legal obligation to which the data controller or processor is a subject.
3. When processing is necessary to conduct a legal proceeding or to obtain legal advice.
4. Processing is necessary to pursue a disclosed legitimate purpose, to protect public interest, public health, and historical, statistical, or scientific research based on law while considering that the fundamental rights and freedoms of the data subject must be protected.

Rights Of A Data Subject

Accompanying data processing are several risks to the rights and freedoms of a data subject. Consequently, a data subject whose personal data is in the control of a data controller/data processor has been vested with the right to safeguard these interests. The rights of a data subject, as provided in the NDPA, are examined below.

         a. Right to verification

A data subject has the unrestrained right to confirm whether a data controller or processor operating on their behalf is storing or processing their data. The data controller or processor is obligated in such instances to provide details regarding the purposes of the processing promptly, the categories of personal data concerned, the recipients of the data being processed, and the period of processing where possible.

         b. Right to request for erasure

Where a subject verifies that a data controller or processor has processed or is processing their data, the subject may request data erasure and restrict processing or object to such processing. The data subject also reserves the right to request the correction of inaccurate, out-of-date, or misleading data. If correction is impossible or not feasible, the data subject has the right to request the deletion of data, and the data controller or processor should delete same without delay. The data controller or processor may also restrict the processing of personal data pending the resolution of the data subject’s objection or the exercise of legal claims.

The data controller is also obligated to erase, without undue delay, the personal data of data subjects upon the expiration of the purpose for which it was collected and when there’s no lawful basis to retain the data.

         c. Right to object

A data subject can object to or disallow a data controller from processing their data, and the data controller shall discontinue processing unless it can demonstrate a public interest or other legitimate grounds that would override the data subject’s fundamental rights and interests.

Other rights available to a data subject as provided by the Act the right not to make decisions regarding personal data processing, which may incur legal effects to the data subject based on an automated process, and the right to portability, which allows a data subject to request and receive their personal data from a data controller in a structured, and machine-readable format.

Remedies Available To A Data Subject

A data subject aggrieved by a data controller or data processor’s decision, action, or inaction that breached the Act or any other subsidiary legislation may complain to the Nigeria Data Protection Commission (the Commission) for it to initiate investigations. In the event that the Commission is satisfied upon investigation that a violation of the Act occurred, it is empowered to make compliance orders varying from warnings, cease and desist orders, or compulsory compliance orders. The Commission may make orders or sanctions, which shall include – an order requiring that the data subject be compensated for any loss caused by the breach, that the data controller or processor give an account of the profits realised from the violation or that a remedial fine of up to  NGN 10,000,000 (Ten Million Naira), in the case of a data controller or processor of significant importance or NGN2,000,000 (Two Million Naira) in the case of a data controller or processor that is not of significant importance be paid.

Conclusion

The primary goal of data protection is not limited to safeguarding sensitive information but is also keen on ensuring that while data remains accessible and reliable, trust and compliance in data-centric operations are also preserved. The Nigeria Data Protection Act 2023 recognises the risk associated with loose data protection frameworks in organisations and seeks to mitigate these risks.