By 
NDPB is now NDPC – The Commission
The Nigeria Data Protection Act, 2023 has a Transitional Provision that transfers all powers, agreements or contracts, actions, offices and officers of the former NDPB to the new Commission thus legitimately affirming the existing offices and actions of the officers in the current dispensation.
RELATED: Transitioning from NDPR to NDPA: Some Good, Bad and Ugly Provisions of the Newly Enacted Nigeria Data Protection Act 2023
This means Dr. Vincent Olatunji; hitherto the National Commissioner/CEO of the Nigeria Data Protection Bureau (NDPB) is to continue as the National Commissioner/CEO of the newly established Nigeria Data Protection Commission (NDPC) established under the Nigeria Data Protection Bill, 2023 signed into law by President Bola Tinubu to become the Nigeria Data Protection Act, 2023.
Transitional provisions
The section in the Act states:
- (1) A reference to the Nigeria Data Protection Bureau (in this clause referred to as “the Bureau”) existing before the commencement of this Bill, or a document issued in the name of the Bureau, shall be read as a reference to the Commission established under this Bill, and all persons engaged by the Commission shall have the same rights, powers and remedies as existed in the Bureau before the commencement of this Bill.
(2) For the purpose of subclause (1) —
(a) a person who, prior to the commencement of this Bill, was an officer, employee or member of staff of the Bureau shall continue in office, and be deemed to have been appointed under this Bill on such terms and conditions not less favourable than that enjoyed prior to the transfer of service;
(b) all existing agreements and contracts currently in effect by the Bureau, as it relates to the provisions of this Bill shall continue;
(c) all records and equipment previously belonging to or allocated for use to the Bureau shall become, on the effective date of this Bill, part of the records and equipment of the Commission;
(d) properties held immediately before the commencement of this Bill on behalf of the Bureau shall on the commencement of this Bill, be vested in the Commission established under this Bill;
(e) any proceeding or cause of action pending or existing immediately before the commencement of this Bill by or against the Bureau, in respect of any right, interest, obligation or liability may be commenced or continued, as the case may be by the Commission; and
(f) all orders, rules, regulations, decisions, directions, licences, authorisations, certificates, consents, approvals, declarations, permits, registrations, rates or other documents that are in effect before the coming into effect of this Bill and that are made or issued by the National Information Technology Development Agency or the Bureau shall continue in effect as if they were made or issued by the Commission until they expire or are repealed, replaced, reassembled or altered.
A close source in the Presidency told IT Edge News.Africa: “Mr. President was well briefed on this matter before signing the bill into law. I can tell you that government has confidence in the people in that Commission as presently constituted. Now as a statutory body, they are expected to strengthen the team to become more formidable and align with the mission of this new government to deliver results across all sectors,”
Objectives of the new law
Objectives of the new law include to safeguard the fundamental rights and freedoms, and the interests of Nigerians as data subjects; promote data processing practices and strengthen the legal foundations of the national digital economy. Part of the objectives of the Act include:
(a) safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999;
(b) provide for the regulation of processing of personal data;
(c) promote data processing practices that safeguard the security of personal data and privacy of data subjects;
(d) ensure that personal data is processed in a fair, lawful and accountable manner;
(e) protect data subjects’ rights, and provide means of recourse and remedies, in the event of the breach of the data subject’s rights;
(f) ensure that data controllers and data processors fulfil their obligations to data subjects;
(g) establish an impartial, independent, and effective regulatory Commission to superintend over data protection and privacy issues, and supervise data controllers and data processors; and
(h) strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data.
Establishment of the Nigeria Data Protection Commission, and its Governing Council
- (1) There is established the Nigeria Data Protection Commission (in this Bill, referred to as “the Commission”).
(2) The Commission —
(a) shall be a body corporate, with perpetual succession and a common seal;
(b) may sue or be sued in its corporate name; and
(c) may acquire, hold and dispose of its property.
(3) The Commission —
(a) shall have its head office in the Federal Capital Territory; and
(b) may maintain other offices, in any part of Nigeria, for the purposes of achieving the objects of the Commission.
(4) Subject to the approval of the Council, the National Commissioner may acquire other offices and premises for the use of the Commission.
Functions of the Commission
- The Commission shall —
(a) regulate the deployment of technological and organisational measures to enhance personal data protection;
(b) foster the development of personal data protection technologies, in accordance with recognised international best practices and applicable international law;
(c) where necessary, accredit, license, and register suitable persons to provide data protection compliance services;
(d) register data controllers and data processors of major importance;
(e) promote awareness on the obligation of data controllers and data processors under this Bill;
(f) promote public awareness and understanding of personal data protection, rights and obligations imposed under this Bill, and the risks to personal data;
(g) receive complaints relating to violations of this Bill or subsidiary legislation made under this Bill;
(h) collaborate with any relevant ministry, department, agency, body, company, firm, or person for the attainment of the objectives of this Bill;
(i) ensure compliance with national and international personal data protection obligations and best practice;
(j) participate in international fora and engage with national and regional authorities responsible for data protection with a view to developing efficient strategies for the regulation of cross-border transfers of personal data;
(k) determine whether countries, regions, business sectors, binding corporate rules, contractual clauses, codes of conduct, or certification mechanisms, afford adequate personal data protection standards for cross-border transfers;
(l) collect and publish information with respect to personal data protection, including personal data breaches;
(m) advise government on policy issues relating to data protection and privacy;
(n) submit legislative proposals to the Minister necessary for strengthening personal data protection in Nigeria; and
(o) carry out other legal actions as are necessary for the performance of the functions of the Commission.
Powers of the Commission
- The Commission shall have powers to —
(a) oversee the implementation of the provisions of this Bill;
(b) prescribe fees payable by data controllers and data processors in accordance with data processing activities;
(c) issue regulations, rules, directives and guidance under this Bill;
(d) prescribe the manner and frequency of filing, and content of compliance returns by data controllers and data processors of major importance to the Commission;
(e) call for information from a person, or inspect any documents with respect to any thing done under this Bill;
(f) conduct investigations into any violation of a requirement under this Bill or subsidiary legislation made under this Bill by a data controller or a data processor;
(g) impose penalties in respect of any violation of the provisions of this Bill or subsidiary legislation made under this Bill;
(h) acquire assets, and sell, let, lease, or dispose of any of its property; and
(i) perform such other acts as are necessary to give effect to the functions of the Commission.
Independence of the Commission and composition of Governing Council
- (1) There shall be for the Commission, a Governing Council … for a term of four years, and may be eligible for re-appointment for another term of four years, and no more;
Appointment of members of the Council
(a) a part-time Chairman, who shall be a retired judge of Nigeria;
(b) the National Commissioner;
(c) a representative, not below the rank of a Director or its equivalent, from —
(i) the Federal Ministry responsible for Justice,
(ii) the Federal Ministry responsible for communications and digital economy,
(iii) the Central Bank of Nigeria, and
(iv) a law enforcement agency; and
(d) one representative from the private sector.
Appointment of the National Commissioner for the Commission
According to the Act, the National Commissioner shall serve for five years and be renewable only ones.
Directives by the Minister
- Subject to the provisions of this Bill, the Minister may give to the Commission directives of a general nature or relating generally to matters of policy with respect to the objectives and functions of the Commission, and the Commission shall comply with the directives.
Regulations
- (1) The Commission may make regulations for carrying out its objectives under this Bill.
(2) Without prejudice to subclause (1), the regulations may provide for —
(a) the financial management of the affairs of the Commission;
(b) the protection of personal data and data subjects;
(c) the manner in which the Commission may exercise any power, discharge any duty or perform any function under this Bill;
(d) any matter that under this Bill is required or permitted to be prescribed;
(e) the forms of applications and related documents required for the purposes of this Bill;
(f) the procedures to be followed under this Bill in the submission of complaints to the Commission;
(g) frequency of filing and content of compliance returns by data controllers and data processors of major importance to the Commission;
(h) fees, fines, and charges prescribed under this Bill and such related matters; and
(i) any matter that the Commission considers necessary or expedient to give effect to the objectives of this Bill.
(3) The regulations made under this Bill may –
(a) create offences in respect of any contravention of the regulations; and
(b) impose penalty not more than that prescribed in this Bill.
(4) The Commission may, prior to making any regulation under this Bill, publish on its website, a draft regulation and a notice inviting comments to be submitted on the proposed regulation within a stipulated time.
Act prevails over other law or enactment
- Where the provisions of any other law or enactment, in so far as they provide or relate directly or indirectly to the processing of personal data, are inconsistent with any of the provisions of this Bill, the provisions of this Bill shall prevail.
Expenditure of the Fund
The Commission shall be funded thus: 20% of the take-off grant shall be from the Consolidated Revenue Fund of the Federation, 40% of the take-off grant shall be from the Nigerian Communications Commission, and 40% of the take-off grant shall be shall be from the National Information Technology Development Agency.
- (1) The Commission shall establish a Fund (in this Bill referred to as “the Fund”) for the performance of its functions under this Bill.
(2) There shall be paid into the Fund established under subclause (1) —
(a) a take-off grant as may be appropriated by the National Assembly which shall be drawn in the following manner —
(i) 20% of the take-off grant shall be from the Consolidated Revenue Fund of the Federation,
(ii) 40% of the take-off grant shall be from the Nigerian Communications Commission, and
(iii) 40% of the take-off grant shall be shall be from the National Information Technology Development Agency;
(b) donations, gifts, loans, grants, aids, endowments, and voluntary contributions;
(c) returns on investments of the Commission;
(d) levies, fees, penalties, and fines collected by the Commission; and
(e) such other money or assets that may accrue to the Commission.
(3) 50% of the total amount of the take-off grant shall be provided to the Commission on the commencement of this Bill, and the remaining 50% of the take-off grant shall be provided on the anniversary of the date on which this Bill commences.
(4) Subject to any applicable law, the Commission may borrow such sums of money, as may be required in the performance of its functions under to this Bill.
Principles and Lawful Basis Governing Processing of Personal Data
- (1) A data controller or data processor shall ensure that personal data is —
(a) processed in a fair, lawful and transparent manner;
(b) collected for specified, explicit, and legitimate purposes, and not to be further processed in a way incompatible with these purposes;
(c) adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed;
(d) retained for no longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed;
(e) accurate, complete, not misleading, and, where necessary, kept up to date having regard to the purposes for which the personal data is collected or is further processed; and
(f) processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach.
(2) A data controller and data processor shall use appropriate technical and organisational measures to ensure confidentiality, integrity, and availability of personal data.
Registration and Fees
- (1) Data controllers and data processors of major importance shall register with the Commission within six months after the commencement of the Bill or on becoming a data controller or data processor of major importance.
- The Commission may prescribe fees or levies to be paid by data controllers and data processors of major importance.
Enforcement & Penalties
- (1) A data subject, who is aggrieved by the decision, action, or inaction of a data controller or data processor in violation of this Bill, or subsidiary legislation made under this Bill may lodge a complaint with the Commission.
(2) The Commission may investigate any complaint referred to it, where it appears to the Commission that the complaint is not frivolous or vexatious.
(3) The Commission may initiate an investigation of its own accord where it has reason to believe a data controller or data processor has violated or is likely to violate this Bill or any subsidiary legislation made under this Bill.
(4) The Commission may, for the purpose of an investigation, order a person to —
(a) attend at a specific time and place for the purpose of being examined orally in relation to a complaint;
(b) produce such document, record, or article, as may be required with respect to any matter relevant to the investigation, which the person is not prevented by any other written law from disclosing; or
(c) furnish a statement in writing made under oath or an affirmation setting out all information, which may be required under the order.
(5) Where any material to which an investigation relates, consists of information stored in any document, record, minutes, mechanical or electronic device, the Commission may require the person named to produce such material or give access to the Commission to conduct an inspection on the material.
(6) For the purposes of subclause (5), the person shall ensure that the information relating to the material under investigation is visible and legible, in a structured, commonly used and machine-readable format.
(7) The Commission may, where necessary, make representations to —
(a) the data controller or data processor on behalf of a complainant; or
(b) a complainant on behalf of the data controller or data processor.
(8) The Commission shall —
(a) establish a unit to receive and follow up on complaints from data subjects and conduct investigations; and
(b) adopt rules and procedures on handling complaints and conducting investigations referred to it under this Bill.
- (1) Where the Commission is satisfied that a data controller or data processor has violated or is likely to violate any requirement under this Bill or subsidiary legislation made under this Bill, the Commission may make an appropriate compliance order against that data controller or data processor.
(2) The order made by the Commission under subclause (1) may include a —
(a) warning that certain act or omission is likely to be a violation of one or more provisions under this Bill or any subsidiary legislation or orders issued under it;
(b) requirement that the data controller or data processor complies with such provisions, including complying with the requests of a data subject to exercise one or more rights under this Bill; or
(c) cease and desist order requiring the data controller or data processor to stop or refrain from doing an act, which is in violation of this Bill, including stopping or refraining from processing personal data that is the subject of the order.
(3) An order made under this clause shall be in writing and shall specify —
Compliance/ Enforcement Orders
(2) An enforcement order made or sanction imposed under subclause (1) shall include —
(a) requiring the data controller or data processor to remedy the violation;
(b) ordering the data controller or data processor to pay compensation to a data subject, who has suffered injury, loss, or harm as a result of a violation;
(c) ordering the data controller or data processor to account for the profits realised from the violation; or
(d) ordering the data controller or data processor to pay a penalty or remedial fee.
(3) A penalty or remedial fee under subclause (2) (d) may be an amount up to the —
(a) higher maximum amount, in the case of a data controller or data processor of major importance; or
(b) standard maximum amount, in the case of a data controller or data processor not of major importance.
(4) The “higher maximum amount” shall be the greater of —
(a) ₦10,000,000, and
(b) 2% of its annual gross revenue in the preceding financial year.
(5) The “standard maximum amount” shall be the greater of —
(a) ₦2,000,000, and
(b) 2% of its annual gross revenue in the preceding financial year.
Failure to comply with orders is an offence
- (1) A data controller or data processor, who fails to comply with orders made under clause 47 of this Bill commits an offence and is liable on conviction to —
(a) a fine of up to the —
(i) higher maximum amount, in the case of a data controller or data processor of major importance, or
(ii) standard maximum amount, in the case of a data controller or data processor not of major importance; or
(b) imprisonment for a term not more than one year or both.
Independence of Commission in doubt
While the Act has set the country on new positive direction, many experts are agreed that the independence of the Commission is in doubt as reliance is placed on the executive arm of government. The governing council shows the President as the appointing authority, while the Minister of Communications and Digital Economy is vested with the power to approve certain matters significantly diluting the independence of the Commission. The Act states: “the Minister may give to the Commission directives of a general nature or relating generally to matters of policy with respect to the objectives and functions of the Commission, and the Commission shall comply with the directives.”
