The Nigerian Data Protection Commission (NDPC) has revealed that over 1,300 indigenous firms are under probe for breaching the Nigeria Data Protection Act (NDPA) of 2023. In furtherance of the investigation, the commission has the firm 21 days to submit evidence of compliance with the NDPA or face sanctions.
According to a statement released on Monday by the commission, signed by Head, Legal, Enforcement and Regulations, Babatunde Bamigboye Esq., the 1,369 local organisations have failed to comply with Nigeria’s data protection act.
He explained that the move aligns with the NDPC’s mandate to protect the rights and freedoms of data subjects under the 1999 Constitution while strengthening Nigeria’s digital economy.
“In line with Sections 5(1), 6(a), 6(c), 46(3), and 47(1)-(2) of the NDP Act, the Commission has issued Compliance Notices to certain organisations listed in the schedule of its notice,” part of the statement reads.
The erring organisations, published by the NDPC, include 795 financial institutions, 392 insurance broker firms, 35 insurance companies, 10 pension companies, and 136 gaming companies.
Bamigboye explained that the Act seeks to strengthen the legal foundations of Nigeria’s digital economy. In extension, it safeguards Nigeria’s image and beneficial participation in global economies through the responsible use of personal data.
Consequently, the NDPC has given the indigenous organisations 21 days to submit evidence of compliance with the NDPA or face sanctions.
The NDPA is Nigeria’s first comprehensive federal law for personal data protection. It was signed into law on June 12, 2023, by President Bola Ahmed Tinubu.
It establishes the NDPC to oversee data privacy, mandates data handling principles like fairness and security, and sets penalties for violations. This includes the requirement for data controllers to report data breaches within 72 hours. The Act also aims to protect individuals’ fundamental privacy rights, promote responsible data practices, and boost Nigeria’s position in the global digital economy.
Also Read: NDPC slams Multichoice with ₦766M fine for unauthorised data transfers.
NDPC states expected actions from erring companies
In accordance with the suspected flag of their non-compliance with the NDPA, the commission has directed all 1,369 companies to submit certain evidence. These documents will serve as a measure for the NDPC’s next step of action.
Within 21 days, they are expected to provide evidence of filing NDPA Compliance Audit Returns for 2024, evidence of appointment of a Data Protection Officer, and a summary of technical and organisational measures for data protection within the organisation.
Also, they are to provide evidence of registration as a Data Controller or Processor of Major Importance as required by the NDPA.
Bamigboye explained that failure to comply with the directives might result in further enforcement actions. This will range from the issuance of an enforcement order, administrative fines, and/or criminal prosecution in accordance with the NDPA.
“The NDPC remains committed to ensuring a culture of accountability and trust in Nigeria’s data protection and privacy ecosystem, while safeguarding the rights of data subjects and strengthening the nation’s digital economy,” he said.
In its commitment towards data handling, the NPC recently fined Multichoice Nigeria N766,242,500 for breaching the NDPA. Beyond the privacy breach, illegal data transfers carry significant implications.
NDPC uncovered that Multichoice violated the NDP Act by engaging in unauthorised data transfers. This compromised the personal information of subscribers and their friends who are not necessarily subscribers.
WhatsApp and its parent Meta were also ordered to pay a $220 million administrative penalty after being found guilty of data breaches and discriminatory practices following an appeal hearing. Meta was also ordered to pay an additional $35,000 to the commission for the cost of the investigation.
These moves by the NDPC come amid growing concerns over data security in Nigeria.
