Introduction
The benefits that the internet brings also comes with its own risks. One of such risk is the breach and abuse of private data information usually for dishonest, commercial gain. Data Protection legislation is one of the statutory attempts to curb if not eliminate some of the risks associated with the use of online facilities.
Data Protection can be described as the protection of sensitive information from damage, loss, intrusion of privacy or corruption.
As Data Protection is now a very important aspect of the digital world in the twenty-first century, the Data Protection Act, 2023 was recently passed into Law. This Business Alert is a general summary of some of the highlights of this new Law to guide you on how this subject will have an impact on your online activities
Objectives – Data Protection Act, 2023
The Data Protection Act, 2023 (“DPA 2023”) in its preamble informs the reader that this Law is intended to provide the legal framework for the protection of all sensitive personal information; and established the Data Protection Commission for the regulation of the processing of personal data information.
The above lofty objectives are structured to work in tandem with safeguarding the Fundamental Rights and freedoms of all individuals, who are the Data Subjects, by promoting the best data processing practices which safeguard the security and privacy of all data subjects.
The Data Protection Commission is established by the DPA 2023 as an independent Commission, and regulator for data protection.
The functions of the Data Protection Commission include the development of data protection technologies and techniques, in accordance with International Law and best international practices on data protection.
The Data Protection Commission is authorised, as part of its statutory duties, to accredit, license and register suitable persons as Data Controllers and Data Processors to provide data protection services. This Commission is also empowered to conduct investigations into any violation of any of the provisions of the DPA, 2023; and impose penalties for any data infringement.
Data Processing
A Data Controller is the person who alone or jointly with others determines the purpose and means of processing personal date. A Date Processor on the other hand is a person who processes personal data on behalf of or at the direction of a Data Controller or another data processor.
All Data Controllers and Data Processors are required by the DPA 2023 to ensure that they process all personal data lawfully, in a transparent and confidential manner, for the explicit and legitimate purpose for which the data that is processed is intended.
Generally speaking, Data Processing can only be lawful if the consent of the Data Subject is freely and intentionally obtained; or the processing of the data is essential for the performance of a contract; or is required for compliance with a legal obligation; or the performance of a task that is in the public interest.
Data Controllers and Data Processors are each required to designate a Data Protection Officer (“DPO”) who must be someone with expert knowledge of Data Protection Laws, regulations and best practices. The DPO must also have the ability to carry out the tasks set out for this position in the DPA, 2023.
A DPO may be an employee of the Data Controller or Data Processor; or engaged as a outside contractor.
Data Protection Compliance Services
The Data Protection Commission is authorised to license any person with the requisite expertise in Data Protection Compliances to monitor, audit and report on Data Compliance matters to the Data Controllers who in turn report to the Data Protection Commission.
Data Subject Rights
A Data Subject is the individual whose personal data is collected and processed by a Data Controller and a Data Processor. A Data Subject has the legal right to request from and obtain from a Data Controller, without any constraint or unreasonable delay, information as to whether the Data Controller or a Data Processor operating on behalf of a Data Controller, has any of the Data Subject’s personal data.
Where the Data Controller has possession of a Data Subject’s personal data, the Data Controller is required by Law to inform the Data Subject of the purpose for collecting, retaining and processing the Data Subject’s personal data; with the duration for which the Data Controller has had and will keep such personal data.
The Data Subject also has the statutory right to request the Data Controller to rectify or erase the personal data of the Data Subject from the Data Controller’s systems. This is especially where such personal data is inaccurate, or is out of date, or is incomplete, or is misleading, or is no longer necessary in relation to the purposes for which the Data was collected and processed in the first place.
A Data Subject also has the legal rights to withdraw, at any time, any consent given for the processing of the Data Subject’s personal data.
Exceptions to Data Protection
The protection of the personal data of a Data Subject is a fundamental right under the Constitution One of the exemptions to a Data Subject’s rights to the protection of his or her personal data is where the Data Controller is able to demonstrate that it in in the public interest, or is authorised by a written Law, or has a legitimate ground to collect and process the personal data of a Data Subject without the express consent of the Data Subject.
Data Security
Data Controllers and Data Processors are required to implement appropriate technical and organisational measures which ensures the security, integrity and confidentiality of all personal data that they come across.
Where the data of a Data Subject is found to have been breached, the Data Subject and the Data Protection Commission are required to be informed immediately of the details regarding such data breach and the steps that are been taken to mitigate any risks that could arise from such a data breach.
Cross-Border Data Transfers
As it applies in other jurisdictions, Data Controllers and Data Processors shall not permit the transmission of any personal data of any Data Subject to another country unless the recipient of such personal data is bound by similar legal provisions as those in the Data Protection Act, 2023.
Some of the exceptions to the above cross-border transfer of personal data compliance requirement is where the Data Subject, mindful of the possible risks of such cross-border transfer of his or her personal data, has provided and has not withdrawn his or her consent to the cross-border transfer of such personal data despite the absence of adequate data protection protocols in the jurisdiction where the personal data is been transferred to.
Another exception to the cross-border data transfer legal requirement is where the cross-border transfer is necessary for the performance of a contract of which contract the Data Subject is a party.
Enforcement of Data Protection Rights
A Data Subject who is aggrieved by the action, inaction or conduct of a Data Controller or a Data Processor has the right to lodge a complaint with the Data Protection Commission.
Upon receipt of a data breach compliant, the Data Protection Commission may initiate a data breach investigation and where such investigation is found to establish a violation of any of the provisions of the DPA 2023, the Data Protection Commission may make a appropriate Compliance Order against the Data Controller and or the Data Processor.
A Compliance Order may include a warning; a mandatory compliance with any of the provisions of the DPA 2023 that was breached; a cease-and-desist order; payment of compensation by the Data Controller or the Data Processor to the Data Subject who has suffered injury, loss or harm as a result of a data breach or a data violation.
A Data Controller and a Data Processor have the legal right to challenge any Compliance Order by way of judicial review by a Court of Law.
Data Protection – Remedies, Offences and Penalties
A Data Subject who is dissatisfied with the Compliance Order made by the Data Protection Commission has the further right to within thirty (30) days of the issuance of such Compliance Order, apply to a Court of Law for the Judicial Review of such an order.
A Data Subject who suffers any injury, loss or damage as a result of a data breach also has the right to seek for compensatory damages in a civil judicial proceeding against the Data Controller or Data Processor that is responsible for the data breach.
A Data Controller and a Data Processor shall be vicariously liable for any data infringing acts or omissions of their agents, privies and employees where such infringement was carried out in the course of performing the Data Controller and the Data Processor’s business.
The principal officers of a Data Controller or a Data Processor could be held jointly and vicariously liable for any data breach unless such principal officers are able to establish that they exercised due diligence to prevent the commission of a data breach and or that the data breach occurred without their consent or connivance.
Failure to comply with the Data Commission’s Compliance Order within the timeline given is an offence which on conviction after a judicial trial attracts a fine or imprisonment for a term not exceeding one (1) year or to both the fine and the term of imprisonment.
Conclusion – Comments and Observations
Having the Data Protection Commission as the Regulator for Data Protection is a continuation of the multiplication of regulatory bodies on the same or similar subject matters. Examples of some of such similar regulatory bodies are the Communications Commission and the National Information Technology Development Agency. The Data Protection Commission could have been created as a department under any of the existing regulatory agencies thereby reducing the costs of governance.
Our second soft observation is that it is not only the personal data of individuals that are deserving of statutory protection. Governments public sector data also deserve strengthening and statutory protection.
Disclaimer
This is a free educational material which only serves as a general guide. It is not an exhaustive discussion of this topic. It does not serve as a source of solicitation, advertisement or the offering of legal services or advice of any kind. No Client/Attorney relationship is therefore created. Readers are strongly advised to always seek from qualified Legal Practitioners, competent legal advisory counselling to their specific factual situation or to any questions or concerns arising from their specific factual situation.
Intellectual Property Protected!
This material is protected by International Intellectual Property Laws and Regulations. This material can therefore only be reproduced or re-distributed for non-profit educational purposes under the strict condition that our Oserogho & Associates Authorship of this material is explicitly acknowledged, and our above Disclaimer Notice is prominently displayed.