-1323.png){kind=logo}
Written by Dorcas Tsebee and Ridwan Oloyede
Introduction
Nigeria's journey to enact comprehensive data protection legislation has taken nearly two decades, much longer than anticipated. Despite the fact that the Nigeria Data Protection Regulation was published in January 2019, the country still needed a comprehensive law from the legislature. The Nigerian National Policy for Information Technology, published in 2000, was one of the earliest policy directions on data protection. One of the policy objectives was the protection of online business transactions, privacy, and security, and it was the federal government's responsibility to enact a data protection law to achieve this objective. Nonetheless, it has taken over two decades to get to where we are today.
Tracing the Evolution of Legislative Milestones (2005-2023)
2005
In 2005, the Computer Security and Critical Infrastructure Protection Act was proposed. Despite not being called a data protection law, its goal was to improve computer security, identify and protect critical information infrastructure, and address computer security issues. Although it does not specifically address data protection, it was the first and closest attempt to enact a semblance of a data protection law.
2009
In 2009, the Privacy Bill 2009 was introduced, which provides for data protection but needs to be more robust as it fails to provide for the basic principles of data processing. Progress with the bill has stalled since.
2010
In 2010, the Data Protection Bill was introduced, which represented an improvement over previous attempts. The bill provided for the rights of data subjects and made provisions for an adequate level of protection of personal data, except for sensitive personal data. By and large, the bill needed significant improvements to bring it into line with international best practice.
2012
In 2012, the National Identity Management Commission (NIMC) proposed the Personal Information and Data Protection Bill with the aim of protecting data handled by the agency.
2014
The Personal Information and Data Protection Bill 2014 was introduced but did not make it to the legislative wheel.
2016
In 2016, the Protection of Personal Information Bill 2016 was introduced in the 7th National Assembly by House Member Honourable Yakubu Dogara and was yet another legislative attempt towards data protection in Nigeria.
2017
In 2017, the Data Protection Bill was sponsored by Senator Ahmad Ibrahim Lawan and made provisions for regulating information relating to individuals. Although it was specific to data protection, it still needed to be improved.
2018
In 2018, the Senate Committee on Judiciary, Human Rights, and Legal Matters mandated a review of the 2016 and 2017 data protection bills in order to propose a harmonised data protection and privacy bill. The bill was a product of the data protection bills proposed in the past, namely, the Personal Information and Data Protection Bill 2014, the Data Protection Bill 2015, and the Protection of Personal Information Bill 2016. The Data Protection Bill provided some commendable provisions and made it through all the legislative stages.
However, in May 2019, when the National Assembly forwarded the bill to the President for assent, the President refused to give his assent, and no reason was publicly provided for the refusal.
2019
There were different versions of the 2019 data protection bill. In 2019, two data protection bills were presented before the House of Representatives, the 2019 Data Protection Bill, sponsored by Hon. Nduidi Godwin Elemelu, and the 2019 Data Protection Bill, sponsored by Hon. Yakubu Dogara. Both bills only progressed beyond the first reading. In the Senate, a Protection of Personal Information Bill, 2019, sponsored by Senator Stella Oduah, is also stuck at its first reading.
2020
The 2020 Data Protection Bill was the most comprehensive at the time, having been introduced by the Federal Government through the Legal and Regulatory Reform Working Group (LWG) in March 2020. This was in support of the Federal Government's implementation of the Nigeria Digital Identification for Development (ID4D) Project. Despite numerous assurances, the bill never made it to the legislative agenda.
2022
In October 2022, the Data Protection Bill was published, followed by a validation exercise.
2023
In January 2023, the Federal Executive Council approved a copy of the 2022 bill. In April 2023, the Data Protection Bill 2022 was finally sent to the National Assembly. The bill was accompanied by a letter from the president urging the Senate to enact the law. The Senate had promised passage of the law within 30 days of its receipt. It is unclear if the Senate will stick to the timeline; however, the bill is anticipated to be passed before the end of the current legislative cycle in June. On April 5, 2023, the bill received its first reading, and on April 6, 2023, it passed the second reading stage at the House of Representatives, and a public hearing may be on the horizon.
Conclusion
After about two decades of unsuccessful attempts, Nigeria may finally pass a comprehensive data protection law. The law will formally establish the Nigeria Data Protection Bureau as the data protection authority, which has been operating without an establishing law since last year. One of the bill's provisions is the mandatory registration of data controllers and processors of significant importance. The version of the bill presented to the National Assembly still contains some of the issues raised when the draft was published. Still, given the difficulty of amending laws in Nigeria, we hope the public hearing will provide a credible opportunity for useful inputs to improve the quality of the bill. Finally, the legislative effort is expected to harmonise various versions of bills that were abandoned at various stages of the current legislative cycle.
Update!
The Bill came up for second reading before the Senate on May 2, 2023, and was referred to the Senate Committee on ICT and Cybercrimes. The committee's report was expected to be presented in four weeks. However, on May 3, 2023, the Senate passed the bill. The bill is expected to witness a similar fate in the House of Representatives over the next few weeks. Finally, the president is expected to assent to the bill before the end of the administration on May 29, 2023.
