Data Protection, Privacy, Privacy Law, Nigeria Data Protection Act, NDPR, NDPA, GDPR.
The Nigeria Data Protection Act, 2023 ("NDPA") was signed into law by President Bola Ahmed Tinubu on the 14th of June, 2023. The NDPA makes notable provisions for the protection of personal data and is the first law signed by a legislative body that specifically addresses the protection of personal data in Nigeria. While the NDPA is touted by stakeholders to be a major game changer in the regulation of personal data in Nigeria and also a source of revenue generation with a projection of roughly 16 Billion Naira in annual revenue, there exist certain grey areas, and we intend to provide insight on at least two grey areas.
First is the age of a child as ascribed under the NDPA, particularly the processing of a child's personal data and consent to the processing of such personal data. Second, is the power of the National Assembly to make laws for the protection of personal data for the Federation. This article examines the issues surrounding the processing of the personal data of children as well as the power of the National Assembly to enact a law on personal data in Nigeria.
Child Consent to Data Processing
The NDPA provides that consent must be sought from the parent or legal guardian of a child before processing the personal data of that child. However, consent of a parent or guardian is not required when processing is (a) necessary to protect a child's vital interest, (b) carried out for the purposes of education, medical or social care and undertaken by a professional owing a duty of confidentiality or (c) necessary for legal proceedings involving the child. According to the NDPA, the meaning of a "child" is to be deduced from the Child Right Act, 2003 (the "CRA"). The CRA defines a child as a person below the age of "18" years of age. 
Though the CRA defines a child as a person below the age of "18" years, it is pertinent to note that issues of child rights protection do not fall under the exclusive or concurrent legislative list of the Constitution of the Federal Republic of Nigeria, 1999 (as amended) (the "Constitution"), with respect to which the National Assembly has powers to make laws with nationwide application. Anything not contained in both lists falls under the residual list, of which child rights protection is not an exception. The National Assembly enacted the CRA based on its power to legislate for only the Federal Capital Territory ("FCT"). Many States have their respective child rights laws that adopt various definitions or age limits for children, some defining a child as a person below 18 and others setting a lower threshold. For instance, the Child Rights Law of Akwa Ibom State defines a child as a person below 16 years of age.
Given that the issue of child protection is a residual matter, and the CRA was enacted by the National Assembly based on its powers to legislate for the FCT, it would appear that the NDPA cannot ascribe an age of consent to data processing of a child for the full Federation, or at least, adopt the CRA's definition of a child for data processing of a child. The National Assembly cannot ascribe the definition so provided under the CRA without recourse to the Child Rights Laws of States. However, one may argue that the NDPA is specific to the protection of personal data and the Child Rights Laws of States are general laws. Hence, in such situations, a specific law would prevail over a general law, thereby making the NDPA prevail over other Child Rights Laws because it is specific to the processing of personal data of a person, regardless of whether it is a child's personal data. Nonetheless, we are of the view that a better approach would have been for the lawmakers to take into consideration the definition of a child in other Child Rights Laws of States and the peculiarities of different States of the Federation. Perhaps, the NDPA's interpretation of a child should be amended to read "Child as the meaning ascribed in the Child Right Act 2003, or the Child Right Laws of States as the case may be".
Powers of the National Assembly to Legislate on Data Privacy
The NDPA, which was enacted by the National Assembly, applies to the processing of personal data within Nigeria, including the processing of personal data of a Nigerian data subject by data controllers and processors resident or domiciled abroad. However, the National Assembly only has the power to legislate for the Federation either under the executive legislative list or concurrent legislative list of the Constitution or with respect to any other matter in which it is empowered by the Constitution. A careful perusal of the exclusive and concurrent legislative lists of the Constitution would reveal that data protection/privacy falls outside the legislative purview of the National Assembly. Also, there are no other provisions in the Constitution (outside the exclusive and concurrent legislative lists) that empower the National Assembly to make laws on data protection/privacy. By virtue of section 4(7)(a) of the Constitution, residual matters (meaning matters neither in the exclusive nor concurrent legislative lists) are reserved for State House of Assemblies and not the National Assembly. See AG Abia State v. AG. Federation (2006) 16 NWLR (Pt. 1005) 265.
Further, one may argue that fingerprints identification in item 28 of the exclusive legislative list relates to personal data and item 68 of the exclusive legislative list gives the National Assembly the power to enact laws on any matter incidental to, or supplementary to any matter so provided under the exclusive legislative list, thereby empowering the National Assembly to legislate on personal data. This position would have been tenable if the lawmakers had utilized a "comma" just between fingerprints and identification. The use of a comma makes data privacy/protection an incidental or supplementary matter to identification, as a person can be identified by his or her personal data, which is the crux of data protection. In the absence of a comma, the words fingerprints identification should be read together, and thus, we believe that fingerprints identification and criminal records, though forms of personal data, are insufficient to give the National Assembly power to legislate on data privacy for the Federation under the exclusive legislative list.
Data privacy forms part of residual matters, which States have the exclusive power to legislate on. To this end, the enactment of the NDPA for the Federation would appear unconstitutional. Given the degree of importance of personal data, we recommend that either the exclusive legislative list or concurrent legislative list be amended to include data protection/privacy. We are of the view that the insertion of data privacy in the exclusive legislative list is preferable for the purposes of uniformity and national spread. Otherwise, section 2(2) of the NDPA, which applies provisions of the NDPA to the processing of personal data all over Nigeria, might be expunged by the courts sooner than later.
While the enactment of the NDPA by the National Assembly is an important milestone and indeed a laudable step taken towards the protection of personal data in Nigeria, there are, however, controversies or issues surrounding the constitutionality of the NDPA's application to the Federation, given the absence of personal data, data privacy or data protection in the exclusive and concurrent legislative lists of the Constitution. Thus, the exclusive legislative list or concurrent legislative list of the Constitution needs to be amended to include data privacy/protection or personal data to give the National Assembly the requisite powers to make data protection laws for the Federation. Also, in view of the peculiarities of Child Rights Laws of different States in Nigeria and varying factors, it is expedient to amend the NDPA to accommodate other interpretations provided for under Child Rights Laws of different States. There are, however, no doubts that the NDPA is a major game changer and a new dawn for the protection of personal data in Nigeria.
Juliet Umeh “Data protection Act: Nigeria may generate over N16bn in data businesses” < https://www.vanguardngr.com/2023/06/data-protection-act-nigeria-may-generate-over-n16bn-in-data-businesses/ > accessed 23 June 2023.
NDPR, section 31(1).
Section 31(4) of the Act. Section 3 excludes certain provisions of the Act from being applicable to data processed in respect of Section 3(2), and the requirement for child consent is among the provisions excluded.
NDPA, section 65.
Section 277 of the Act
Constituon, Second Schedule Part II
“Black Heritage Publication.. Exploring our World” available online at http://blackheritagepublication.blogspot.com/2014/07/akwa-ibom-child-rights-law.html
See Adedayo & Ors. v. PDP & Ors. (2013) LPELR-20342 (SC) and Ibori v. Ogburu (2004) 15 NWLR (Pt. 895) 154 at 194 – 195.
NDPA, section 2.
Constitution, section 4(3)(4). State also have power to legislate under the concurrent list, but whenever there is a conflict between state law and the Federal law, state law will take precedence
See also CIL Risk & Asset Mgt. Ltd. v. Ekiti State Govt. (2020) 12 NWLR (Pt. 1738) 203.
Punctuations Form Part of an enactment, and regard shall be had to it accordingly, in construing the enactment (Section 3(1) of the Interpretation Act.