By: Chukwuyere Ebere Izuogu LLM (Hannover), CIPP/E

On Tuesday 17 January 2023, the Biometric Data Security and Data Protection Bill (SB. 1095) was read for the 1st time at the Senate of the National Assembly. It would be recalled that the earlier Data Protection Bill 2019 (HB. 504) and Data Protection Bill 2019 (HB. 564) sponsored by Hon. Ndudi Godwin Elumelu and Hon. Yakubu Dogara respectively has only seen first reading since 2019. On the other hand, SB. 1095 is a Senate Bill sponsored by Sen. Gershom Bassey. In its explanatory memorandum, SB. 1095 seeks to make provisions for the regulation of the processing of personal data. Accordingly, SB. 1095 makes provisions for personal data management which from a data protection perspective are the principles that apply every time personal data is processed. SB. 1095 also provides for data access entitlement which essentially embodies the rights of the data subject in relation to the personal data processed. Some of these rights are the right to be informed; by any data controller whether personal data are being processed by or on behalf of that data controller; of the description of the data controller; of the logic involved in any automated decision-making. SB. 1095 also makes several provisions in relation to the processing of personal data such as the prevention of data processing likely to cause distress, prevention of data processing for advertisement and marketing and the right of the data subject to prevent automated decision-making. An individual who suffers damage including distress resulting from non-compliance with SB. 1095 is entitled to seek redress and to be compensated by the data controller for that damage. Under SB. 1095, a data subject has a right to apply to the court for an order compelling a data controller to rectify, block, erase or destroy inaccurate data relating to the data subject. This also includes information that contains an expression of opinion that appears to the court to be based on inaccurate data. Lastly, SB. 1095 prohibits the unlawful procurement of personal data and the production of certain records. In doing so, SB. 1095 describes the various conducts that can trigger this prohibition.

  • Observations

It is quite reassuring to know that lawmakers in addition to the executive are also interested in matters of data protection. The effort put in drafting SB. 1095 is very commendable however during further consideration at the plenary and/or committee stage, there is the need to bring it in line with international best practices for legislating on data protection or data privacy. For instance SB. 1095 should make provisions that provide the legal base(s) to legitimise the processing of personal data. Secondly, it is important for SB. 1095 to create an enforcement authority or government agency with regulatory oversight over both data controllers and processors as is the usual practice in jurisdictions with a data protection framework. And
thirdly, and very fundamental, SB. 1095 in its interpretation section should provide a definition of what constitutes biometric data since this is one of the subject matters it seeks to regulate. Providing this definition would certainly leave no one in doubt as to the exact breadth of SB. 1095. If SB. 1095, proceeds to second reading and is eventually committed to a committee, I expect additional input would be provided to make these changes and others to bring it in line with global best practices for a data protection framework. I commend Sen. Gershom Bassey for taking this initiative, the first of its kind at the Senate in this present legislative session.

  • Conclusions

Three Bills on data protection are currently before the National Assembly. The Federal Government through the Hon. Minister of Communications and Digital Economy, the National Information Technology Development Agency and the Nigerian Data Protection Bureau have assured the public that an executive Bill on data protection would also be sent to the National Assembly. When the National Assembly eventually receives the executive sponsored Bill on data protection, it is likely to be consolidated with the earlier three Bills or the three Bills may be withdrawn in line with extant legislative practice and procedure. However, it is important to note that the present legislative session terminates on 11 June 2023 and it will take some level of political will from both the executive and legislature to ensure that a data protection bill is enacted into law in Nigeria before that time.

Chukwuyere is the head of the TMT practice at Streamsowers & KÖhn, and a senior research fellow at the African Academic Network on Internet Policy

Related Posts