Law: Nigerian Data Protection Act, 2023 (the Act)

Regulator: the Nigeria Data Protection Commission (NDPC)

Summary: On June 12, 2023, the Nigerian Data Protection Act 2023 (the Act) came into effect, providing a comprehensive legal framework for protecting personal information and establishing the Nigerian Data Protection Commission (NDPC). The Act aligns with international standards and establishes key principles governing the processing of personal data, including specific provisions for processing sensitive and children's data.

Additionally, it introduces requirements for data controllers, such as the obligation to conduct Data Protection Impact Assessments, designate data protection officers, and implement breach notification and data security measures. Furthermore, the Act places restrictions on cross-border data transfers, adopting the concept of adequate protection. Data subjects are granted essential rights, including the ability to object, withdraw consent, exercise data portability, and protect against subjection to decisions based solely on automated processing.

Notably, the Act introduces a special category, Data Controllers and Data Processors of Major Importance, which includes entities processing valuable personal data, subject to substantial penalties of NGN 10 million (approx. $12,690) or 2% of the preceding year's revenue (whichever is higher) for violations. Moreover, Nigeria has signed the Economic Community of West African States (ECOWAS) Supplementary Act A/SA. 1/01/10 on Personal Data Protection within ECOWAS of 16 February 2010 (the Act), although ratification is pending.