BLOG

On Wednesday, 17 November 2021, our Tojola Yusuf and Oyin Banjoko attended the Lagos state Data Protection Bill public hearing held at the Lagos State House of Assembly.

It is the first attempt by a state government to legislate on data protection in Nigeria. The Bill will apply to the processing of personal data through automated or non-automated means by a controller or processor established in Lagos or not, processing the data of data subjects in Lagos State. It includes carrying out “processing activities through an office, branch or agency in the State”. The Bill contains provisions relating to principles of data protection, lawful bases for processing, rights of a data subject, obligations of data controllers and processors, establishment of a Commission, creation of exemptions and other provisions. It further stipulates sanctions for contravention of its provisions. While the Bill represents a milestone for the State, it raises a number of issues that we have included in our recommendations. 

At the public hearing, we presented our observations and recommendations before the House, which are contained in the memorandum we submitted to the House Committee on Science and Technology.

Some of our recommendations to the House include:

> Removal of the registration requirement for data controllers and processors;

> Removal of the fee required for the exercise of the right of access;

> Inclusion of the rights to erasure, portability, restriction of processing, object and the right not to be subject to automated decision making in the

rights available to data subjects;

> Inclusion of the principle of accountability and its obligations;

> Inclusion of the domicile of the data subjects in the territorial applicability of the Bill;

> Exclusion of the Commissioner for Science and Technology in the membership of the Data Protection Commission’s Board, The Commissioner being a

member of the executive will affect the independence of the Commission;

> Inclusion of ‘legitimate interest’ as a lawful basis for processing personal data;

> The need for data controllers to inform data subjects of a data breach without the Commission’s prompt;

> Removal of the requirement to regulate international transfer of personal data;

> Inclusion of the definition of a child in the Bill; and

> Removal of the requirement to register names of data subjects during the registration of data controllers and processors.

For more information, download our memorandum here.